On 6/5/2014 8:50 AM, Boris Zbarsky wrote: > On 6/5/14, 11:39 AM, Matthew Gertner wrote: >> The problem is that on sites the enforce their own CSP, the resources >> may not be loaded. For example, github.com has script-src set to >> 'self' so it won't load stylesheets via our protocol. Is there any way >> to designate a protocol as privileged so that it overrides the CSP? >> From looking at the source code it seems like certain protocols >> (about, chrome, resource) are hardcoded to override the CSP but I >> couldn't see a way to define other privileged protocols. > > The CSP implementation should be using protocol flags here instead of > hardcoding (and if it's not, bugs should be filed). And then your > protocol can set the relevant flags.
CSP should be doing that (it's not) and while that may solve your specific problem it leaves the more common case unaddressed. If a user has installed an addon that creates mashups (injects flickr images maybe, or maps?) the user wants to see that content even if the page's CSP is not expecting it. We need a more generic way to specify minimum required CSP overrides than just "anywhere my protocol appears". Depending on the protocol that could just as easily reintroduce the XSS problems CSP is trying to prevent. In general we'd rank the user's wishes over the page author's. Addons complicate the picture a bit: for the most part we assume that since the user installed them they represent the user's wishes, but sometimes addons are just doing dumb (potentially exploitable) things that the user isn't fully aware of. [For the purposes of this conversation I'm ignoring outright evil add-ons because they'll just abuse whatever they can get away with whether we make it easy for them or not.] -Dan Veditz _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
