Re: Content Security Policy and WebDriver from Andreas Tolfsen on 2014-11-03 (public-browser-tools-testing@w3.org from October to December 2014)

From: Andreas Tolfsen <ato@mozilla.com>
Date: Mon, 3 Nov 2014 20:03:46 +0000
To: Jim Evans <james.h.evans.jr@gmail.com>
Cc: "public-browser-tools-testing@w3.org" <public-browser-tools-testing@w3.org>
Message-ID: <CAL_dnaWAt8HsmFjXkVLJVO9ApRvtvAyATBwy0hYZTY2Pw-qkKQ@mail.gmail.com>

On Mon, Nov 3, 2014 at 7:55 PM, Jim Evans <james.h.evans.jr@gmail.com> wrote:
> If I'm reading things properly, a browser that implements the Content Security
> Policy spec browsing a site that has a Content Security Policy can entirely
> disable the execution of anonymous JavaScript. This would entirely break the
> executeScript and executeAsyncScript commands[1].

I don't think it will since drivers usually operate with elevated
security permissions, and always from localhost.  As I understand it
there's no way in CSP to disable execution of scripts from self?

Received on Monday, 3 November 2014 20:04:14 UTC