SummerOfCode/2012/UserCSP/WeeklyUpdates/2012-06-18

From MozillaWiki
Jump to: navigation, search

« previous week | index | next week »



This Week

Monday, 18 June

  • Tested "X-Content-Security-Policy" header injection
    • Use google.co.in for testing and block images from google by setting img-src directive in CSP rules. I observed that userCSP add-on successfully injected "X-Content-Security-Policy" header in Google response web page and images from google were blocked.
    • I also created two websites in virtual machine for testing purpose namely "a.com" and "b.com". A webpage from "a.com" loads scripts and images from both "a.com" as well as "b.com". Using userCSP add-on, I set img-src and script-src to "a.com" for webpages from "a.com". Thus userCSP add-on sucessfully block resources from "b.com" to be loaded.

Tuesday, 19 June

  • Google search on mozilla idl's to implement combine strict and combine loose functionality when two csp policies are available.

Wednesday, 20 June

Thursday, 21 June

Friday, 22 June

  • Created a global table to store complete csp policy for website defined CSP and user specified CSP.