SummerOfCode/2012/UserCSP/WeeklyUpdates/2012-08-06

From MozillaWiki
Jump to: navigation, search

« previous week | index | next week »

This Week

Monday, 06 August

  • Under CSP, inline Eval() are by default disabled. To allow users to allow or disallow inline Eval() setting for each domain, I added inline Eval() disabled/enabled option to add-on UI under "ALL" tabs.
  • Local database of add-on extended to support inline Eval choice of users.

Tuesday, 07 August

  • Tested inline Eval() feature added to add-on UI with a webiste I created in VM.
  • I setup VM running "www.example.com" website. Its inlineEval.html page is as follows:
<html>
<body>
 <a href="javascript:eval(alert('hi'));" >Click here </a>
 </body>
</html>

When I clicked on "Click here" button it showed alert prompt with text 'hi'. After I disabled inline Eval for the website using our add-on, the prompt was disallowed, which is the expected result.

Wednesday, 08 August

  • Some minor tweaks in add-on UI such as, added spacing between policy label and policy rules for better visibility of policies.

Thursday, 09 August

  • Policy rules are displayed in Blue color and all other text is in black color in add-on UI.
  • Read refinePolicy() function source code on "content/base/src/CSPUtils.jsm" file. I used refinePolicy() function to combine website policy and user policy with strict subset.

For example, https://csptest.computerist.org sets following CSP rules Website CSP Rules:

allow 'self'; img-src 'self'; script-src 'self'; options 'bogus-option'; report-uri https://unknown.computerist.org:8443/report 

If user defined following rules using our add-on: User CSP Rules:

script-src 'self' ;

Then combine Strict rules I get using refinePolicy() function are as follows: Combine Strict Rules:

default-src 'none'; script-src 'none'; style-src 'none'; media-src 'none'; img-src 'none'; object-src 'none'; frame-src 'none'; frame-ancestors *; font-src 'none'; xhr-src 'none' 

Whereas, website and user both set script-src to 'self', but refinePolicy function returns 'none' for script-src.

This issue is not yet resolved.

Friday, 10 August

  • My mentor found another bug. Sometimes website rules are not shown in the add-on UI.
    • The reason for this problem is, when user refreshes the page and web page is loaded from browser cache, there is no X-Content-Security-Policy header in the response. Therefore, web page CSP rules are empty.