SummerOfCode/2012/UserCSP/WeeklyUpdates/2012-08-06

From MozillaWiki
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

« previous week | index | next week »

This Week

Monday, 06 August

  • Under CSP, inline Eval() are by default disabled. To allow users to allow or disallow inline Eval() setting for each domain, I added inline Eval() disabled/enabled option to add-on UI under "ALL" tabs.
  • Local database of add-on extended to support inline Eval choice of users.

Tuesday, 07 August

  • Tested inline Eval() feature added to add-on UI with a webiste I created in VM.
  • I setup VM running "www.example.com" website. Its inlineEval.html page is as follows:
<html>
<body>
 <a href="javascript:eval(alert('hi'));" >Click here </a>
 </body>
</html>

When I clicked on "Click here" button it showed alert prompt with text 'hi'. After I disabled inline Eval for the website using our add-on, the prompt was disallowed, which is the expected result.

Wednesday, 08 August

  • Some minor tweaks in add-on UI such as, added spacing between policy label and policy rules for better visibility of policies.

Thursday, 09 August

  • Policy rules are displayed in Blue color and all other text is in black color in add-on UI.
  • Read refinePolicy() function source code on "content/base/src/CSPUtils.jsm" file. I used refinePolicy() function to combine website policy and user policy with strict subset.

For example, https://csptest.computerist.org sets following CSP rules Website CSP Rules: 

allow 'self'; img-src 'self'; script-src 'self'; options 'bogus-option'; report-uri https://unknown.computerist.org:8443/report

If user defined following rules using our add-on: User CSP Rules: 

script-src 'self' ;

Then combine Strict rules I get using refinePolicy() function are as follows: Combine Strict Rules: 

default-src 'none'; script-src 'none'; style-src 'none'; media-src 'none'; img-src 'none'; object-src 'none'; frame-src 'none'; frame-ancestors *; font-src 'none'; xhr-src 'none'

Whereas, website and user both set script-src to 'self', but refinePolicy function returns 'none' for script-src.

This issue is not yet resolved.

Friday, 10 August

  • My mentor found another bug. Sometimes website rules are not shown in the add-on UI.
    • The reason for this problem is, when user refreshes the page and web page is loaded from browser cache, there is no X-Content-Security-Policy header in the response. Therefore, web page CSP rules are empty.
Retrieved from "https://wiki.mozilla.org/index.php?title=SummerOfCode/2012/UserCSP/WeeklyUpdates/2012-08-06&oldid=460675"