Re: Content Security Policy and WebDriver from Jim Evans on 2014-11-03 (public-browser-tools-testing@w3.org from October to December 2014)

From: Jim Evans <james.h.evans.jr@gmail.com>
Date: Mon, 3 Nov 2014 12:17:22 -0800
To: Andreas Tolfsen <ato@mozilla.com>
Cc: "public-browser-tools-testing@w3.org" <public-browser-tools-testing@w3.org>
Message-ID: <CAMx=J=x3q-WE819T5yyyfGJC45GhzxdcV1zcbO-U70wTi6vn0Q@mail.gmail.com>

If I'm reading the CSP spec right, in the context of the current
recommendation, "self" merely matches the origin domain of the loaded page.
Injected script, such as that executed by executeScript, has no "source",
and thus does not match the "self" domain. I could be wrong, but I think it
might be blocked in this case.

On Mon, Nov 3, 2014 at 12:03 PM, Andreas Tolfsen <ato@mozilla.com> wrote:

> On Mon, Nov 3, 2014 at 7:55 PM, Jim Evans <james.h.evans.jr@gmail.com>
> wrote:
> > If I'm reading things properly, a browser that implements the Content
> Security
> > Policy spec browsing a site that has a Content Security Policy can
> entirely
> > disable the execution of anonymous JavaScript. This would entirely break
> the
> > executeScript and executeAsyncScript commands[1].
>
> I don't think it will since drivers usually operate with elevated
> security permissions, and always from localhost.  As I understand it
> there's no way in CSP to disable execution of scripts from self?
>

Received on Monday, 3 November 2014 20:17:50 UTC