removing inline JavaScript from tests/index.html & adding CSP to the test server

mozilla / scanjs

[DEPRECATED] Static analysis tool for javascript code.

Other

428 stars 39 forks source link

removing inline JavaScript from tests/index.html & adding CSP to the test server #93

Closed mozfreddyb closed 10 years ago

mozfreddyb commented 10 years ago

As outlined in #65, we can just fix the inline bits in JS. It seems that Mocha/Chai don't introduce any other CSP breakage :)

pwnetrationguru commented 10 years ago

@mozfreddyb, on FF29, this changes causes all tests to fail with the following CSP violation:

acorn.js: 378
Error: call to Function() blocked by CSP
return new Function("str", f);

Suprisingly, on Safari and Chrome, it appears to work fine.

I don't think I'm newbing anything up. I've cleared cache, tried a new private window, etc. and I still get the violation in FF29 (fwiw, I was getting the errors in FF28 as well)

mozfreddyb commented 10 years ago

There was a typo in the CSP, which would then skip the 'unsafe-eval' directive (fixed by eda2335) Can you try again, @pwnetrationguru?

pwnetrationguru commented 10 years ago

boom, fixed up conflicts and merging in.

Thanks for this @mozfreddyb and sorry it took so long to get merged in!