Parser issues

[sbehrens]

When running against any host (say facebook.com/netflix.com/twitter.com/etc.) the suggested policy is identical for each host. See output below

$ python autorun.py hosts.txt
Starting proxy Visiting urls http://facebook.com

Shutting down proxy Parsing logs default-src 'self';

Using the CSP bookmarklet I end up with a totally different policy recommendation so I'm not sure if the parser is working as expected.

[Kennysan]

Thanks for the write-up.

The autorunner requires an additional host parameter (specified by -o) in order to know which host to create a CSP for. This is a known limitation.

However, even when specifying a host (i.e. python autorun.py netflixurls.txt -o netflix.com) I am able to reproduce the bug you described (you should normally see the proxy traffic in the terminal). However, at least for me, the autorunner still seems to work for certain urls (like cnn.com, www.etsy.com). I think this problem is with the selenium-powered instance of firefox that I am using, since starting up the proxy manually:

cd proxy && python run.py -o netflix.com

loading up Firefox 24, setting Firefox's proxy to 127.0.0.1:8080, and then browsing to netflix.com creates CSP log entries.

[Kennysan]

Just pushed a commit to fix the aformentioned issue with specific URLs. However, certain specific urls, such as "twitter.com" will fail due to a certificate issue that seems to be an issue with mitmproxy--I will probably file an issue for this.

[Chill-Penguin]

I've had similar issues and I think its relating to http vs https. For instance, I can generate traffic for http://www.csc.tntech.edu but not for https://www.csc.tntech.edu. Sites mentioned above (facebook,twitter,netflix) are https only and so would experience the same issues.