6 years ago The CSP 1.0 spec allows the keywords 'unsafe-inline' and 'unsafe-eval' to be set on the default-src directive. If they are set, and script-src is not defined, then they are applied to scripts, and if style-src is not defined, 'unsafe-inline' is applied to styles. Section 5.1, Example 3 of the CSP 1.0 and CSP 1.1 specs gives such a policy: Content-Security-Policy: default-src 'self'; script-src Our CSP 1.0 implementation does not implement this behavior; the 'unsafe-inline' and 'unsafe-eval' keywords are only honored if they are used in the script-src or style-src directives. 6 years ago Comment on Patch 1 Review of: ----------------------------------------------------------------- When this is finished, we will probably want to uplift this to Fx24 (Aurora) and Fx23 (Beta). You probably should also write a test that checks that in a policy of|default-src: 'unsafe-inline'; script-src: self| inline scripts are not allowed to execute (specific script-src overrides default-src in that case) and maybe the same for styles. It looks like the code in CSPUtils.jsm handles this case correctly, though. R+ if you add the test and and the pushPrefEnv:)::: content/base/src/CSPUtils.jsm @@ +539,5 @@ > // styles by specifying either default-src or style-src. 6 years ago (In reply to Ian Melven:imelven from ) > Comment on > Patch 1 > > Review of: > ----------------------------------------------------------------- > > When this is finished, we will probably want to uplift this to Fx24 (Aurora) > and Fx23 (Beta). > > You probably should also write a test that checks that in a policy of >|default-src: 'unsafe-inline'; script-src: self| inline scripts are not > allowed to execute (specific script-src overrides default-src in that case) > and maybe the same for styles. Support Communities / Developer Forums. Discover how to get the most from your HomePod. Our HomePod Specialists will be live in the Community July 25, 2018, from 11 a.m. PDT to help you learn more about what you can do with HomePod. • Do not use unsafe-eval and unsafe-inline. • Use Report-Only option to test the policy. Start collecting and analyzing reports: • Add the report-uridirective to the policy. • Filter out the noise. • Add extra information to easily identify the application/module. • Provide analysis results to development teams and to the security team. May 24, 2017 - contentSecurityPolicy='default-src 'self'; script-src 'self' 'unsafe-inline'; style-src. ':true,'userAgent':'Mozilla/5.0 (Macintosh; Intel Mac OS X) AppleWebKit/538.1..js:72:30 n_reroute@phantomjs://code/request_handler.js:61:20 n_handle@. It looks like the code > in CSPUtils.jsm handles this case correctly, though. Is there any way for me to do this without copy-pasting my current mochitest and mochitest ^headers^ file, and just changing the ^headers^ file? Feels wasteful. > > r+ if you add the test and and the pushPrefEnv:) > >::: content/base/src/CSPUtils.jsm > @@ +539,5 @@ > > // styles by specifying either default-src or style-src. 6 years ago (In reply to Garrett Robinson [:grobinson] from ) > > > You probably should also write a test that checks that in a policy of > >|default-src: 'unsafe-inline'; script-src: self| inline scripts are not > > allowed to execute (specific script-src overrides default-src in that case) > > and maybe the same for styles. It looks like the code > > in CSPUtils.jsm handles this case correctly, though. > > Good idea. Is there any way for me to do this without copy-pasting my > current mochitest and mochitest ^headers^ file, and just changing the > ^headers^ file? Feels wasteful. Yeah, it's not great to have a bunch of extra files just for different headers. I did it for the spec compliant tests since the ones using the old header will go away some day when we finally deprecate support for it. Firefox 20 For MacThe other way to do the tests is to write an.sjs - then you can do things like serve different policies/headers based on query params. Sk 2000f driver for mac. Some of the other CSP tests do stuff like this, for example, see. 6 years ago Comment on Patch 2 Review of: ----------------------------------------------------------------- Overall, looking good! Unsafe-inline And 'unsafe-eval On Firefox 20 For MacWhen using a Content-Security-Policy like the following: 'Content-Security-Policy', “default-src https:; img-src ‘self’ data: https:” Edge does not render SVG images properly (loaded using image src attributes); logging this error message: CSP14321: Resource violated directive ‘default-src https:’ in Content-Security-Policy: inline style, in at line 81 column 8. Resource will be blocked.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |