Content Security Policy and WebDriver from Jim Evans on 2014-11-03 (public-browser-tools-testing@w3.org from October to December 2014)

From: Jim Evans <james.h.evans.jr@gmail.com>
Date: Mon, 3 Nov 2014 11:55:27 -0800
To: "public-browser-tools-testing@w3.org" <public-browser-tools-testing@w3.org>
Message-ID: <CAMx=J=zGEvZm1kAGG7dx_b9Na0K+MmsYhpG3zgMdbJ7mn5WRKQ@mail.gmail.com>

As mentioned at TPAC last week, and in the interest of moving discussions
to the mailing list, I've filed a bug against the spec for how a driver
implementation should act in the presence of a Content Security Policy (
https://www.w3.org/Bugs/Public/show_bug.cgi?id=27223). If I'm reading
things properly, a browser that implements the Content Security Policy spec
browsing a site that has a Content Security Policy can entirely disable the
execution of anonymous JavaScript. This would entirely break the
executeScript and executeAsyncScript commands[1].

Should the WebDriver spec address this particular potential interaction
issue? It seems unfriendly to users to say that sites implementing a
Content Security Policy can't be driven by WebDriver implementations.

--Jim

[1] There's also the side effect that it'll entirely disable existing
driver implementations that rely on JavaScript for their implementations.
At present, this affects at least three shipping implementations:
ChromeDriver, the open-source Firefox driver (likely Marionette too), and
the open-source Internet Explorer driver.

Received on Monday, 3 November 2014 19:56:03 UTC