Re: Content Security Policy and WebDriver

Is the origin domain the same as "document.domain"? For both Chrome and
Firefox (both of which support CSP) I get the domain of the page that I'm
at when I run ExecuteScript("return document.domain;"). So it looks like
both drivers execute scripts from self.

I threw together a quick test case that uses the header below, and then
executes a script from ChromeDriver, but I don't run into any problems with
the script being blocked...

Content-Security-Policy: default-src 'self';

But even if drivers already side-step this issue by executing scripts under
the right security origin, I agree that language needs to be added to the
spec about this.

Sam.

On Mon Nov 03 2014 at 12:17:56 PM Jim Evans <james.h.evans.jr@gmail.com>
wrote:

> If I'm reading the CSP spec right, in the context of the current
> recommendation, "self" merely matches the origin domain of the loaded page.
> Injected script, such as that executed by executeScript, has no "source",
> and thus does not match the "self" domain. I could be wrong, but I think it
> might be blocked in this case.
>
> On Mon, Nov 3, 2014 at 12:03 PM, Andreas Tolfsen <ato@mozilla.com> wrote:
>
>> On Mon, Nov 3, 2014 at 7:55 PM, Jim Evans <james.h.evans.jr@gmail.com>
>> wrote:
>> > If I'm reading things properly, a browser that implements the Content
>> Security
>> > Policy spec browsing a site that has a Content Security Policy can
>> entirely
>> > disable the execution of anonymous JavaScript. This would entirely
>> break the
>> > executeScript and executeAsyncScript commands[1].
>>
>> I don't think it will since drivers usually operate with elevated
>> security permissions, and always from localhost.  As I understand it
>> there's no way in CSP to disable execution of scripts from self?
>>
>
>