Monday, 18 June
- Tested "X-Content-Security-Policy" header injection
- Use google.co.in for testing and block images from google by setting img-src directive in CSP rules. I observed that userCSP add-on successfully injected "X-Content-Security-Policy" header in Google response web page and images from google were blocked.
- I also created two websites in virtual machine for testing purpose namely "a.com" and "b.com". A webpage from "a.com" loads scripts and images from both "a.com" as well as "b.com". Using userCSP add-on, I set img-src and script-src to "a.com" for webpages from "a.com". Thus userCSP add-on sucessfully block resources from "b.com" to be loaded.
Tuesday, 19 June
- Google search on mozilla idl's to implement combine strict and combine loose functionality when two csp policies are available.
Wednesday, 20 June
- Reading "ContentSecurityPolicy" idl
Thursday, 21 June
Friday, 22 June
- Created a global table to store complete csp policy for website defined CSP and user specified CSP.