Skip to content
This repository was archived by the owner on Nov 29, 2018. It is now read-only.

Content Security Policy should be able to be enabled for Firefox Driver #7640

Closed
lukeis opened this issue Mar 4, 2016 · 6 comments
Closed

Content Security Policy should be able to be enabled for Firefox Driver #7640

lukeis opened this issue Mar 4, 2016 · 6 comments
Assignees
@lukeis
Labels
Component-WebDriver Priority-Medium Restrict-AddIssueComment-Commit Status-NotFeasible Status-Untriaged Type-Defect

Comments

@lukeis
Copy link
Member

lukeis commented Mar 4, 2016

Originally reported on Google Code with ID 7640

As of 1b3c4fcf96d3 (fix for 6358), the "security.csp.enable" attribute has been set
to false. Because it is in the "frozen" section, it cannot be overridden with the FirefoxProfile.
I am trying to automate CSP testing and it is impossible because it cannot be enabled.

What steps will reproduce the problem?
1. From a selenium test, go to any page with CSP enabled, for example with the "Content-Security-Policy"
 header "default-src self; report-uri http://www.example.com/csp"
2. On that page add some inline JS such as:
     <script>
         document.write("<span id='inline-content'>Inline content</span>");
      </script>
3. Observe that the content is written so the JS is running. Further observe via network
panel in dev tools or a proxy that there is no CSP report generated.

I think having CSP disabled is a fine default, but not allowing override is a major
liability.


Selenium version: 2.41.0
OS: OS-X
Browser: Firefox
Browser version: 24.6.0


Please provide any additional information below. A sample reduced test
case, or a public URL that demonstrates the problem will intrigue our merry
band of Open Source developers far more than nothing at all: they'll be far
more likely to look at your problem if you make it easy for them!

Reported by daniel@redwinewithfish.org on 2014-07-22 20:35:27
@lukeis
Copy link
Member Author

lukeis commented Mar 4, 2016

Reported by barancev on 2014-07-23 08:01:03

  • Labels added: Browser-Firefox

@lukeis lukeis self-assigned this Mar 4, 2016
@lukeis
Copy link
Member Author

lukeis commented Mar 4, 2016 

Hey,

we are able to overwrite this CSP setting with `.setPreference('security.csp.enable',
true);`
This results in CSP warnings from injected Selenium scripts though.

What needs to be done to run Firefox with CSP enabled?

Reported by vfilippov@mozilla.com on 2014-08-18 17:01:43

@lukeis
Copy link
Member Author

lukeis commented Mar 4, 2016 

So selenium injects JS in order to do it's magic?

Reported by daniel@redwinewithfish.org on 2014-10-21 19:19:00

@lukeis
Copy link
Member Author

lukeis commented Mar 4, 2016

Reported by barancev on 2014-11-04 07:49:35

  • Labels added: Component-WebDriver
  • Labels removed: Browser-Firefox

@lukeis
Copy link
Member Author

lukeis commented Mar 4, 2016 

The current FirefoxDriver implementation has serious disfunction when CSP is enabled.
It is next to impossible to fix this. Let's hope the next implementation aka Marionette
will be able to work with CSP enabled.

Reported by barancev on 2015-04-03 19:19:52

  • Status changed: NotFeasible

@lukeis
Copy link
Member Author

lukeis commented Mar 4, 2016

Reported by luke.semerau on 2015-09-17 18:22:45

  • Labels added: Restrict-AddIssueComment-Commit

@lukeis lukeis closed this as completed Mar 4, 2016
@SeleniumHQ SeleniumHQ locked and limited conversation to collaborators Mar 4, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@lukeis lukeis

Labels
Component-WebDriver Priority-Medium Restrict-AddIssueComment-Commit Status-NotFeasible Status-Untriaged Type-Defect
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@lukeis