SummerOfCode/2012/UserCSP/WeeklyUpdates/2012-06-18: Difference between revisions
< SummerOfCode | 2012 | UserCSP
Jump to navigation
Jump to search
No edit summary |
|||
| (3 intermediate revisions by the same user not shown) | |||
| Line 8: | Line 8: | ||
=== Monday, {{#time:d F|{{SUBPAGENAME}}}} === | === Monday, {{#time:d F|{{SUBPAGENAME}}}} === | ||
* Tested "X-Content-Security-Policy" header injection | |||
** Use google.co.in for testing and block images from google by setting img-src directive in CSP rules. I observed that userCSP add-on successfully injected "X-Content-Security-Policy" header in Google response web page and images from google were blocked. | |||
** I also created two websites in virtual machine for testing purpose namely "a.com" and "b.com". A webpage from "a.com" loads scripts and images from both "a.com" as well as "b.com". Using userCSP add-on, I set img-src and script-src to "a.com" for webpages from "a.com". Thus userCSP add-on sucessfully block resources from "b.com" to be loaded. | |||
=== Tuesday, {{#time:d F|{{SUBPAGENAME}} +1 day}} === | === Tuesday, {{#time:d F|{{SUBPAGENAME}} +1 day}} === | ||
* Google search on mozilla idl's to implement combine strict and combine loose functionality when two csp policies are available. | |||
=== Wednesday, {{#time:d F|{{SUBPAGENAME}} +2 days}} === | === Wednesday, {{#time:d F|{{SUBPAGENAME}} +2 days}} === | ||
* Reading "ContentSecurityPolicy" idl | |||
**http://mxr.mozilla.org/mozilla-central/source/content/base/public/nsIContentSecurityPolicy.idl#99 | |||
=== Thursday, {{#time:d F|{{SUBPAGENAME}} +3 days}} === | === Thursday, {{#time:d F|{{SUBPAGENAME}} +3 days}} === | ||
=== Friday, {{#time:d F|{{SUBPAGENAME}} +4 days}} === | === Friday, {{#time:d F|{{SUBPAGENAME}} +4 days}} === | ||
* Created a global table to store complete csp policy for website defined CSP and user specified CSP. | |||
Latest revision as of 05:37, 26 June 2012
« previous week | index | next week »
This Week
Monday, 18 June
- Tested "X-Content-Security-Policy" header injection
- Use google.co.in for testing and block images from google by setting img-src directive in CSP rules. I observed that userCSP add-on successfully injected "X-Content-Security-Policy" header in Google response web page and images from google were blocked.
- I also created two websites in virtual machine for testing purpose namely "a.com" and "b.com". A webpage from "a.com" loads scripts and images from both "a.com" as well as "b.com". Using userCSP add-on, I set img-src and script-src to "a.com" for webpages from "a.com". Thus userCSP add-on sucessfully block resources from "b.com" to be loaded.
Tuesday, 19 June
- Google search on mozilla idl's to implement combine strict and combine loose functionality when two csp policies are available.
Wednesday, 20 June
- Reading "ContentSecurityPolicy" idl
Thursday, 21 June
Friday, 22 June
- Created a global table to store complete csp policy for website defined CSP and user specified CSP.