This repository was archived by the owner on Nov 29, 2018. It is now read-only.
This repository was archived by the owner on Nov 29, 2018. It is now read-only.
Content Security Policy should be able to be enabled for Firefox Driver #7640
Description
Originally reported on Google Code with ID 7640
As of 1b3c4fcf96d3 (fix for 6358), the "security.csp.enable" attribute has been set
to false. Because it is in the "frozen" section, it cannot be overridden with the FirefoxProfile.
I am trying to automate CSP testing and it is impossible because it cannot be enabled.
What steps will reproduce the problem?
1. From a selenium test, go to any page with CSP enabled, for example with the "Content-Security-Policy"
header "default-src self; report-uri http://www.example.com/csp"
2. On that page add some inline JS such as:
<script>
document.write("<span id='inline-content'>Inline content</span>");
</script>
3. Observe that the content is written so the JS is running. Further observe via network
panel in dev tools or a proxy that there is no CSP report generated.
I think having CSP disabled is a fine default, but not allowing override is a major
liability.
Selenium version: 2.41.0
OS: OS-X
Browser: Firefox
Browser version: 24.6.0
Please provide any additional information below. A sample reduced test
case, or a public URL that demonstrates the problem will intrigue our merry
band of Open Source developers far more than nothing at all: they'll be far
more likely to look at your problem if you make it easy for them!
Reported by daniel@redwinewithfish.org on 2014-07-22 20:35:27