Skip to content
This repository has been archived by the owner on Jun 8, 2018. It is now read-only.

Content Security Policy restrictions prevent injections #41

Closed
ghost opened this issue Feb 11, 2016 · 2 comments
Closed

Content Security Policy restrictions prevent injections #41

ghost opened this issue Feb 11, 2016 · 2 comments
Labels
bug duplicate

Comments

@ghost
Copy link

ghost commented Feb 11, 2016

The title explains it all. I'm using Firefox 44.0.1 x64 on Ubuntu.
@Synzvato Synzvato changed the title When data uris are restictied by CSP, Decentraleyes cannot function Content Security Policy restrictions prevent injections Feb 11, 2016
@Synzvato
Copy link
Owner

Hi @beardog108, thanks for sharing your findings.

This is indeed true, and a fix is underway. As a first step, the plan is to automatically identify domains that run strict policies, and then treat any of its required resources as missing.

There is an active prototype that internally marks domains tainted if the DOM node responsible for the request has a crossorigin or an integrity attribute, or if it's inside of an iframe.

It might also be an idea to try and make the add-on detect CSP errors caused by injected resources and mark the corresponding domain as tainted, which has not yet been prototyped.

This should give the project some breathing-space, as very little domains are currently affected by such policies. Any ideas or suggestions (in the form of comments, or Pull Requests) are welcome.

I'll tag this as a duplicate of #16 to keep the discussion in one place.

Thanks again for contributing, much appreciated!

@Synzvato
Copy link
Owner

Synzvato commented Dec 3, 2017

@beardog108 I've decided to create a bug (1419459) on Mozilla's bugtracker. Upvotes are welcome.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug duplicate
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Synzvato