Feature #88
[Roadmap 6][Milestone] Allow payloads to also specify CSP rules that should be used instead of the original ones served by page
0%
Description
Note that this concerns CSP rules other than those for scripts. For scripts we always use a nonce
History
Updated by koszko almost 2 years ago
As this is somehow related, I'll write an update regarding our recent CSP change (where we are no longer modifying existing CSP headers but rather dropping them completely or leaving them as they were).
In the end, I didn't use the commit from your branch, Jahoti. I hope you don't mind that. After the change:
- No CSP headers get modified for pages where there is no payload being injected.
- All original CSP headers sent by server get removed for pages where we're going to inject some payload.
- I retained the code that injects our "x-hachette" header and retrieves it later in case of headers being cached by Firefox (I saw you removed on your branch but I don't know why; it is still needed, right?).
- We no longer differentiate between normal and report-only CSP headers.
The behavior I aimed for was slightly different from that on your branch + content/main.js was already very different from when you modified it with your commit. That's why I did it this way
Updated by jahoti almost 2 years ago
I read this thread earlier today and had been meaning to reply, yet couldn't find it again- sorry!
In the end, I didn't use the commit from your branch, Jahoti. I hope you don't mind that. After the change:
Not at all- whatever works best!
- No CSP headers get modified for pages where there is no payload being injected.
- All original CSP headers sent by server get removed for pages where we're going to inject some payload.
- I retained the code that injects our "x-hachette" header and retrieves it later in case of headers being cached by Firefox (I saw you removed on your branch but I don't know why; it is still needed, right?).
It is still needed; that was what I now understand to be faulty reasoning, which also led to CSP headers being removed where scripts are blocked even if no payload was injected. Thank you for re-doing that change correctly!
- We no longer differentiate between normal and report-only CSP headers.
The behavior I aimed for was slightly different from that on your branch + content/main.js was already very different from when you modified it with your commit. That's why I did it this way
Indeed, it is for the best :).
Updated by koszko over 1 year ago
- Blocks Feature #73: [Roadmap 6] Implement a permissions system added
Updated by koszko over 1 year ago
- Subject changed from Allow payloads to also specify CSP rules that should be used instead of the original ones served by page to [Roadmap 6][Milestone] Allow payloads to also specify CSP rules that should be used instead of the original ones served by page
Updated by koszko about 1 year ago
- Blocks deleted (Feature #73: [Roadmap 6] Implement a permissions system)