SummerOfCode/2012/UserCSP/WeeklyUpdates/2012-08-06
From MozillaWiki
< SummerOfCode | 2012 | UserCSP
« previous week | index | next week »
Contents
This Week
Monday, 06 August
- Under CSP, inline Eval() are by default disabled. To allow users to allow or disallow inline Eval() setting for each domain, I added inline Eval() disabled/enabled option to add-on UI under "ALL" tabs.
- Local database of add-on extended to support inline Eval choice of users.
Tuesday, 07 August
- Tested inline Eval() feature added to add-on UI with a webiste I created in VM.
- I setup VM running "www.example.com" website. Its inlineEval.html page is as follows:
<html> <body> <a href="javascript:eval(alert('hi'));" >Click here </a> </body> </html>
When I clicked on "Click here" button it showed alert prompt with text 'hi'. After I disabled inline Eval for the website using our add-on, the prompt was disallowed, which is the expected result.
Wednesday, 08 August
- Some minor tweaks in add-on UI such as, added spacing between policy label and policy rules for better visibility of policies.
Thursday, 09 August
- Policy rules are displayed in Blue color and all other text is in black color in add-on UI.
- Read refinePolicy() function source code on "content/base/src/CSPUtils.jsm" file. I used refinePolicy() function to combine website policy and user policy with strict subset.
For example, https://csptest.computerist.org sets following CSP rules Website CSP Rules:
allow 'self'; img-src 'self'; script-src 'self'; options 'bogus-option'; report-uri https://unknown.computerist.org:8443/report
If user defined following rules using our add-on: User CSP Rules:
script-src 'self' ;
Then combine Strict rules I get using refinePolicy() function are as follows: Combine Strict Rules:
default-src 'none'; script-src 'none'; style-src 'none'; media-src 'none'; img-src 'none'; object-src 'none'; frame-src 'none'; frame-ancestors *; font-src 'none'; xhr-src 'none'
Whereas, website and user both set script-src to 'self', but refinePolicy function returns 'none' for script-src.
This issue is not yet resolved.
Friday, 10 August
- My mentor found another bug. Sometimes website rules are not shown in the add-on UI.
- The reason for this problem is, when user refreshes the page and web page is loaded from browser cache, there is no X-Content-Security-Policy header in the response. Therefore, web page CSP rules are empty.