Re: Content Security Policy and WebDriver

On 05/11/2014 02:00, James Graham wrote:
> On 03/11/14 18:22, Sam Uong wrote:
>> Is the origin domain the same as "document.domain"? For both Chrome and
>> Firefox (both of which support CSP) I get the domain of the page that
>> I'm at when I run ExecuteScript("return document.domain;"). So it looks
>> like both drivers execute scripts from self.
> The origin you care about here is the "effective script origin".
> HTML has hooks for all of this stuff. You need to call the hooks in the
> right way, depending on what WebDriver is supposed to do. I *assume* it
> just calls a script in the script execution environment of the selected
> Window, but other possibilities are imaginable (I didn't check the spec).
> Check with Hixie for the exact form of the spell you need to cast to
> make this work.
I have spoken to the CSP editors about this and we should be fine. There 
is a note that UAs can allow scripts through and we should be able to 
use that. I will update the spec to point to that part of the spec.


Received on Wednesday, 5 November 2014 10:05:17 UTC