New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add $csp modifier support #685
Comments
As said, to simplify we can just forbid the use of |
@gorhill agreed, rephrased it. Regarding |
@ameshkov Do I understand correctly, |
Nope, it disables all rules with the I'll update the modifier description so that it was clear. |
I guess
|
Yes, whitelisting disable this, just like as any other blocking filters. By the way, I mistakenly mentioned that |
Why not to the nested frames? For instance, FB SDK communicates with its server through an iframe. You might want to keep FB API working, but block this communication. I don't say it is a real-life example, but I suppose having such an option might come in handy sometimes. |
"Main document" as in "not secondary resources". I did mention "root frame, or embedded frames". |
Sure, there's no point in applying The point about third-party iframes still stands, though. Same goes for the Here is one more real-life example. Remember that We have two options of blocking it (pseudo-code below).
We sure can have the point 2 without |
Personally I see The only time I see where |
What about Let's just mention in the syntax description, that If we stumble upon a case where third-party really makes any difference, we'll return to this discussion. |
Yes, |
@seanl-adg @Alex-302 guys, please take a look at this new feature. |
Ok, thank you! Added modifiers limitation description. |
Something I had thought about but it ended up slipping my mind, it's mentioned in ABP's issue tracker, this should be made into a rule for parsers: a parser must drop a |
Indeed, added to the syntax description, thank you! |
This modifier completely changes the rule behavior. If it is applied to a rule, it will not block the matching request. The response headers are going to be modified instead.
For the requests matching a
$csp
rule, we will strengthen response's security policy by adding additional content security policy equal to the$csp
modifier contents.csp
rules are applied independently from any other type rule type. Other basic rules have no influence on it.csp
syntaxcsp
value syntax is similar to the Content Security Policy header syntax.csp
value can be empty in the case of exception rules. See examples section for further information.csp
examples||example.org^$csp=frame-src 'none'
— prohibits all frames onexample.org
and it's subdomains.@@||example.org/page/*$csp=frame-src 'none'
— disables all rules withcsp
modifier exactly matchingframe-src 'none'
on all the pages matching the rule pattern. For instance, the rule above.@@||example.org/page/*$csp
— disables all the$csp
rules on all the pages matching the rule pattern.||example.org^$csp=script-src 'self' 'unsafe-eval' http: https:
— disables inline scripts on all the pages matching the rule pattern.The text was updated successfully, but these errors were encountered: