SummerOfCode/2012/UserCSP/WeeklyUpdates/2012-08-06

From MozillaWiki

< SummerOfCode‎ | 2012‎ | UserCSP

Jump to: navigation, search

« previous week | index | next week »

Contents

1 This Week
2 Monday, 06 August
3 Tuesday, 07 August
4 Wednesday, 08 August
5 Thursday, 09 August
6 Friday, 10 August

This Week

Monday, 06 August

Under CSP, inline Eval() are by default disabled. To allow users to allow or disallow inline Eval() setting for each domain, I added inline Eval() disabled/enabled option to add-on UI under "ALL" tabs.

Local database of add-on extended to support inline Eval choice of users.

Tuesday, 07 August

Tested inline Eval() feature added to add-on UI with a webiste I created in VM.

I setup VM running "www.example.com" website. Its inlineEval.html page is as follows:

<html>
<body>
 <a href="javascript:eval(alert('hi'));" >Click here </a>
 </body>
</html>

When I clicked on "Click here" button it showed alert prompt with text 'hi'. After I disabled inline Eval for the website using our add-on, the prompt was disallowed, which is the expected result.

Wednesday, 08 August

Some minor tweaks in add-on UI such as, added spacing between policy label and policy rules for better visibility of policies.

Thursday, 09 August

Policy rules are displayed in Blue color and all other text is in black color in add-on UI.

Read refinePolicy() function source code on "content/base/src/CSPUtils.jsm" file. I used refinePolicy() function to combine website policy and user policy with strict subset.

For example, https://csptest.computerist.org sets following CSP rules Website CSP Rules:

allow 'self'; img-src 'self'; script-src 'self'; options 'bogus-option'; report-uri https://unknown.computerist.org:8443/report

If user defined following rules using our add-on: User CSP Rules:

script-src 'self' ;

Then combine Strict rules I get using refinePolicy() function are as follows: Combine Strict Rules:

default-src 'none'; script-src 'none'; style-src 'none'; media-src 'none'; img-src 'none'; object-src 'none'; frame-src 'none'; frame-ancestors *; font-src 'none'; xhr-src 'none'

Whereas, website and user both set script-src to 'self', but refinePolicy function returns 'none' for script-src.

This issue is not yet resolved.

Friday, 10 August

My mentor found another bug. Sometimes website rules are not shown in the add-on UI.
- The reason for this problem is, when user refreshes the page and web page is loaded from browser cache, there is no X-Content-Security-Policy header in the response. Therefore, web page CSP rules are empty.

Retrieved from "https://wiki.mozilla.org/index.php?title=SummerOfCode/2012/UserCSP/WeeklyUpdates/2012-08-06&oldid=460675"