This repository has been archived by the owner. It is now read-only.

Content Security Policy should be able to be enabled for Firefox Driver #7640

Closed
lukeis opened this Issue Mar 4, 2016 · 6 comments

Comments

@lukeis
Copy link
Member

lukeis commented Mar 4, 2016

Originally reported on Google Code with ID 7640

As of 1b3c4fcf96d3 (fix for 6358), the "security.csp.enable" attribute has been set
to false. Because it is in the "frozen" section, it cannot be overridden with the FirefoxProfile.
I am trying to automate CSP testing and it is impossible because it cannot be enabled.

What steps will reproduce the problem?
1. From a selenium test, go to any page with CSP enabled, for example with the "Content-Security-Policy"
 header "default-src self; report-uri http://www.example.com/csp"
2. On that page add some inline JS such as:
     <script>
         document.write("<span id='inline-content'>Inline content</span>");
      </script>
3. Observe that the content is written so the JS is running. Further observe via network
panel in dev tools or a proxy that there is no CSP report generated.

I think having CSP disabled is a fine default, but not allowing override is a major
liability.


Selenium version: 2.41.0
OS: OS-X
Browser: Firefox
Browser version: 24.6.0


Please provide any additional information below. A sample reduced test
case, or a public URL that demonstrates the problem will intrigue our merry
band of Open Source developers far more than nothing at all: they'll be far
more likely to look at your problem if you make it easy for them!

Reported by daniel@redwinewithfish.org on 2014-07-22 20:35:27

@lukeis

This comment has been minimized.

Copy link
Member Author

lukeis commented Mar 4, 2016

Reported by barancev on 2014-07-23 08:01:03

  • Labels added: Browser-Firefox
@lukeis

This comment has been minimized.

Copy link
Member Author

lukeis commented Mar 4, 2016

Hey,

we are able to overwrite this CSP setting with `.setPreference('security.csp.enable',
true);`
This results in CSP warnings from injected Selenium scripts though.

What needs to be done to run Firefox with CSP enabled? 

Reported by vfilippov@mozilla.com on 2014-08-18 17:01:43

@lukeis

This comment has been minimized.

Copy link
Member Author

lukeis commented Mar 4, 2016

So selenium injects JS in order to do it's magic?

Reported by daniel@redwinewithfish.org on 2014-10-21 19:19:00

@lukeis

This comment has been minimized.

Copy link
Member Author

lukeis commented Mar 4, 2016

Reported by barancev on 2014-11-04 07:49:35

  • Labels added: Component-WebDriver
  • Labels removed: Browser-Firefox
@lukeis

This comment has been minimized.

Copy link
Member Author

lukeis commented Mar 4, 2016

The current FirefoxDriver implementation has serious disfunction when CSP is enabled.
It is next to impossible to fix this. Let's hope the next implementation aka Marionette
will be able to work with CSP enabled.

Reported by barancev on 2015-04-03 19:19:52

  • Status changed: NotFeasible
@lukeis

This comment has been minimized.

Copy link
Member Author

lukeis commented Mar 4, 2016

Reported by luke.semerau on 2015-09-17 18:22:45

  • Labels added: Restrict-AddIssueComment-Commit

@lukeis lukeis closed this Mar 4, 2016

@SeleniumHQ SeleniumHQ locked and limited conversation to collaborators Mar 4, 2016

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.