Closed edmorley closed 5 years ago
It should generate frame-src
, which is the CSP1/CSP3 directive and supported by all browsers AFAIK. I could probably duplicate frame-src
into child-src
, however.
Does it not work for workers or manifests? If you know a site that's it isn't catching these directives, I would love to hack away on this.
I haven't tested the addon against sites that use workers or manifests, I just happened to notice this by code/spec inspection :-)
I think I have a way that I can fix worker-src
but I don't want to work on code with overlapping areas because the merging will be a nightmare. When you get a chance, could you take a look at #5 and see if it's fixed? No rush, but I'm going to block this until I close that one out.
Thanks! :)
Firefox itself returns an error on every page load saying we should stop using frame-src and use child-src instead
That's actually a "bug" (or rather a carryover from CSP2) and should be fixed, I believe, in Firefox 58.
On Oct 31, 2017, at 11:54 AM, Stephen Rider notifications@github.com wrote:
Firefox itself returns an error on every page load saying we should stop using frame-src and use child-src instead
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/april/laboratory/issues/7#issuecomment-340828204, or mute the thread https://github.com/notifications/unsubscribe-auth/AAOEgIfqVd6A9YOnwxqEslskqBUtZa77ks5sx1C1gaJpZM4Ni9aC .
So what is correct? Should I use both frame-src
and child-src
?
If you know a site that's it isn't catching these directives, I would love to hack away on this.
I have problems with sites using workers or manifests. Do you still need a website to test with?
Sure, that sounds great!
Sorry for the long delay.
I uploaded one on cloudfront: https://d2fvntyq3yu3ps.cloudfront.net/ I think the ServiceWorker will never register because of the "Bad Content-Type" error but you can still test the CSP policy with the addon.
Thanks! I'll be poking away at this at some point but it may be a little bit. :)
I know it seems like it would never be fixed, but I actually made this work in 2f225b938e46f425aea3068573ce02cf95a12127. It required some internal Firefox changes before it could happen. Check out version 3.0 on AMO, and let me know if it's working for you!
Amazing - thank you :-)
The
default-src
directive covers a few more cases than laboratory currently supports: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-srcThis means that laboratory might generate a CSP header whose
default-src none
blocks: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/child-src https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/manifest-src https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/worker-src