Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How come amo register does not have "setInterval blocked by CSP" problem? #45

Closed
haoqili opened this issue Jul 11, 2011 · 2 comments
Closed

How come amo register does not have "setInterval blocked by CSP" problem? #45

haoqili opened this issue Jul 11, 2011 · 2 comments
Labels
Demo CSP TOASK

Comments

@haoqili
Copy link
Owner

haoqili commented Jul 11, 2011

Even when they don't have set in settings.py: 'CSP_OPTIONS = ("eval-script",)'

problem seen on Firebug:

        call to setInterval blocked by CSP            recaptcha.js (line 23)

Because setInterval() is blocked by CSP.
haoqili added a commit that referenced this issue Jul 11, 2011
@haoqili
:?) #40, #41. 2 break throughs, 1 question. BT1: change into amo regi…
06f8258 
…ster's custom RecaptchaOptions to avoid in-body script. BT2: have to allow setInterval like 'CSP_OPTIONS = ("eval-script",)'. Q1 #45 How come amo register does not have "setInterval blocked by CSP" problem even without CSP_OPTIONS?
haoqili added a commit that referenced this issue Jul 11, 2011
@haoqili
:?) #45, davedash copy pasted amo's csp settings and it --> showed no…
c7742a8 
…n-custom RecaptchaOptions red recaptcha box only, without showing custom RecapchaOptions recapcha image
@haoqili
Copy link
Owner Author

haoqili commented Jul 11, 2011

Solution explaination:

  • the problem is with CSP_REPORT_ONLY

in amo, CSP_REPORT_ONLY is set to True, so that the violations are written on the report, but are not enforced! That's why setInterval (and anything else) is allowed

--> not secure though :(

@haoqili haoqili closed this as completed Jul 11, 2011
haoqili added a commit that referenced this issue Jul 11, 2011
@haoqili
:D #45! somehow CSP is only correct when CSP_REPORT_ONLY is set to true!
6be0d1e
haoqili added a commit that referenced this issue Jul 17, 2011
@haoqili
:)~ #45 get basic logic of checking data on server correct, but when …
9a45b37 
…I try to test with the Tamper Data add-on, I get a 403. :(
@haoqili
Copy link
Owner Author

haoqili commented Jul 17, 2011

above commit has nothing to do with this issue, the number was a typo.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Demo CSP TOASK
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@haoqili