Content Security Policy should be able to be enabled for Firefox Driver #7640

lukeis · 2016-03-04T08:37:35Z

Originally reported on Google Code with ID 7640

As of 1b3c4fcf96d3 (fix for 6358), the "security.csp.enable" attribute has been set
to false. Because it is in the "frozen" section, it cannot be overridden with the FirefoxProfile.
I am trying to automate CSP testing and it is impossible because it cannot be enabled.

What steps will reproduce the problem?
1. From a selenium test, go to any page with CSP enabled, for example with the "Content-Security-Policy"
 header "default-src self; report-uri http://www.example.com/csp"
2. On that page add some inline JS such as:
     <script>
         document.write("<span id='inline-content'>Inline content</span>");
      </script>
3. Observe that the content is written so the JS is running. Further observe via network
panel in dev tools or a proxy that there is no CSP report generated.

I think having CSP disabled is a fine default, but not allowing override is a major
liability.


Selenium version: 2.41.0
OS: OS-X
Browser: Firefox
Browser version: 24.6.0


Please provide any additional information below. A sample reduced test
case, or a public URL that demonstrates the problem will intrigue our merry
band of Open Source developers far more than nothing at all: they'll be far
more likely to look at your problem if you make it easy for them!

Reported by daniel@redwinewithfish.org on 2014-07-22 20:35:27

The text was updated successfully, but these errors were encountered:

lukeis · 2016-03-04T08:37:35Z

Reported by barancev on 2014-07-23 08:01:03

Labels added: Browser-Firefox

lukeis · 2016-03-04T08:37:36Z

Hey,

we are able to overwrite this CSP setting with `.setPreference('security.csp.enable',
true);`
This results in CSP warnings from injected Selenium scripts though.

What needs to be done to run Firefox with CSP enabled?

Reported by vfilippov@mozilla.com on 2014-08-18 17:01:43

lukeis · 2016-03-04T08:37:37Z

So selenium injects JS in order to do it's magic?

Reported by daniel@redwinewithfish.org on 2014-10-21 19:19:00

lukeis · 2016-03-04T08:37:38Z

Reported by barancev on 2014-11-04 07:49:35

Labels added: Component-WebDriver
Labels removed: Browser-Firefox

lukeis · 2016-03-04T08:37:38Z

The current FirefoxDriver implementation has serious disfunction when CSP is enabled.
It is next to impossible to fix this. Let's hope the next implementation aka Marionette
will be able to work with CSP enabled.

Reported by barancev on 2015-04-03 19:19:52

Status changed: NotFeasible

lukeis · 2016-03-04T08:37:39Z

Reported by luke.semerau on 2015-09-17 18:22:45

Labels added: Restrict-AddIssueComment-Commit

lukeis self-assigned this Mar 4, 2016

lukeis added Type-Defect Priority-Medium Restrict-AddIssueComment-Commit Component-WebDriver Status-NotFeasible Status-Untriaged labels Mar 4, 2016

lukeis closed this as completed Mar 4, 2016

SeleniumHQ locked and limited conversation to collaborators Mar 4, 2016

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Content Security Policy should be able to be enabled for Firefox Driver #7640

Content Security Policy should be able to be enabled for Firefox Driver #7640

lukeis commented Mar 4, 2016

lukeis commented Mar 4, 2016

lukeis commented Mar 4, 2016

lukeis commented Mar 4, 2016

lukeis commented Mar 4, 2016

lukeis commented Mar 4, 2016

lukeis commented Mar 4, 2016

Content Security Policy should be able to be enabled for Firefox Driver #7640

Content Security Policy should be able to be enabled for Firefox Driver #7640

Comments

lukeis commented Mar 4, 2016

lukeis commented Mar 4, 2016

lukeis commented Mar 4, 2016

lukeis commented Mar 4, 2016

lukeis commented Mar 4, 2016

lukeis commented Mar 4, 2016

lukeis commented Mar 4, 2016