Closed edmorley closed 5 years ago
april
commented
7 years ago It should generate frame-src, which is the CSP1/CSP3 directive and supported by all browsers AFAIK. I could probably duplicate frame-src into child-src, however.
Does it not work for workers or manifests? If you know a site that's it isn't catching these directives, I would love to hack away on this.
edmorley
commented
7 years ago I haven't tested the addon against sites that use workers or manifests, I just happened to notice this by code/spec inspection :-)
april
commented
7 years ago I think I have a way that I can fix worker-src but I don't want to work on code with overlapping areas because the merging will be a nightmare. When you get a chance, could you take a look at #5 and see if it's fixed? No rush, but I'm going to block this until I close that one out.
Thanks! :)
strider72
commented
6 years ago Firefox itself returns an error on every page load saying we should stop using frame-src and use child-src instead
april
commented
6 years ago That's actually a "bug" (or rather a carryover from CSP2) and should be fixed, I believe, in Firefox 58.
On Oct 31, 2017, at 11:54 AM, Stephen Rider notifications@github.com wrote:
Firefox itself returns an error on every page load saying we should stop using frame-src and use child-src instead
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/april/laboratory/issues/7#issuecomment-340828204, or mute the thread https://github.com/notifications/unsubscribe-auth/AAOEgIfqVd6A9YOnwxqEslskqBUtZa77ks5sx1C1gaJpZM4Ni9aC .
strider72
commented
6 years ago So what is correct? Should I use both frame-src and child-src ?
bbigras
commented
6 years ago If you know a site that's it isn't catching these directives, I would love to hack away on this.
I have problems with sites using workers or manifests. Do you still need a website to test with?
april
commented
6 years ago Sure, that sounds great!
bbigras
commented
6 years ago Sorry for the long delay.
I uploaded one on cloudfront: https://d2fvntyq3yu3ps.cloudfront.net/ I think the ServiceWorker will never register because of the "Bad Content-Type" error but you can still test the CSP policy with the addon.
april
commented
6 years ago Thanks! I'll be poking away at this at some point but it may be a little bit. :)
april
commented
5 years ago I know it seems like it would never be fixed, but I actually made this work in 2f225b938e46f425aea3068573ce02cf95a12127. It required some internal Firefox changes before it could happen. Check out version 3.0 on AMO, and let me know if it's working for you!
edmorley
commented
5 years ago Amazing - thank you :-)
The
default-srcdirective covers a few more cases than laboratory currently supports: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-srcThis means that laboratory might generate a CSP header whose
default-src noneblocks: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/child-src https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/manifest-src https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/worker-src