SummerOfCode/2012/UserCSP/WeeklyUpdates/2012-08-13

From MozillaWiki
Jump to: navigation, search

« previous week | index | next week »

This Week

Monday, 13 August

  • UserCSP Project report preparation. Project report contains, goal and objectives of the project, functionality and how it works, and technical details of the project.

Tuesday, 14 August

  • Intercepted "shouldLoad" method of nsIContentPolicy interface.
    • The nsIContentPolicy interface is useful to observe content that is being loaded into browser.
    • The "shouldLoad" method of this interface will be called before loading the resource to determine whether to start the load at all.
  • This method is useful to infer the rules for website by observing the contents that are loaded by a web page.

Wednesday, 15 August

  • Perform the resource load type check to collect information about the type of load and destination domain of the request.
  • To infer CSP directive rules such as, script-src, img-src, etc, I intercepted at "shouldLoad" method of nsIContentPolicy interface. When this method is invoked it provides various information, we are specifically interested in following information: aContentType : TYPE_IMAGE, TYPE_SCRIPT, TYPE_OBJECT, etc. aContentLocation: It contains destination domain URL where resource is hosted. aRequestOrigin: The domain that initiated this resource load request.
    • For example, If request is of TYPE_IMAGE then for "aRequestOrigin", I stored "aContentLocation" URL in "img-src" directive. The entry is only inserted if it doesn't exists in CSP directive to remove duplicates.

Thursday, 16 August

  • Inferred policy for a website by observing its resource loading is send to add-on UI component for displaying it in the add-on UI.
      • Inferred policy for a website is shown in the "ALL" tab of the add-on UI.
    • Automatically inferred policy for a website provides hints for users in configuring CSP directives as well as makes their job easier while configuring a CSP policy for the website.

Friday, 17 August

  • Filed a bug on bugzilla.mozilla.org for refinePolicy() method. (Bug 783497)
  • Changed the logo of userCSP add-on. Bug 780045 is for content security policy logo. However, the logo is not yet ready so tentatively we used a Shield icon for userCSP add-on.

Saturday, 18 August

  • userCSP add-on sqlite database file is now stored in ProfD (profile directory) of Firefox. Previously, it was stored on user's Desk(Desktop).
  • Added "Infer CSP" tab to add-on UI.
      • Infer policy tab provides three buttons to the user namely, Start, Stop and SetInferredCSPAsUserCSP.
        • The "Start" button when clicked starts inferring of a CSP policy for a website and "Stop" button stops automatic inferring of a CSP policy for a website.

Sunday, 19 August

  • "Help" tab is added to add-on UI and it say "If the website rules appear to be missing for a site that has implemented CSP, try clicking shift-refresh. It may be because the website is cached."
      • When a site is loaded from a cache and it has set "X-Content-Security-Policy header, then we don't know how to retrieve its "X-Content-Security-Policy" Header for the website when it is loaded from a cache. Therefore, in such scenario we are not able to display the CSP policy into add-on UI. Whereas shift-refresh causes a site to be loaded from network, so that we can retrieve CSP policy from HTTP header.
  • Added "setInferredCSPAsUserCSP" button into "Infer CSP" tab. This feature allows user to set automatically inferred policy for a website as well as allows user to update inferred CSP policy.
  • userCSP add-on source code is uploaded on GitHub (https://github.com/patilkr/userCSP)
  • Project report is uploaded at (https://wiki.mozilla.org/SummerOfCode/2012/UserCSP/Wiki)