Feature #15060

Apply a more restrictive CSP in Verification Extension

Added by sajolida 2017-12-14 15:43:30 . Updated 2018-03-01 07:27:35 .

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Installation
Target version:
Tails_3.6
Start date:
2017-12-14
Due date:
% Done:

0%

Feature Branch:
Type of work:
Code
Blueprint:

Starter:
Affected tool:
Verification Extension
Deliverable for:

Description

See https://developer.chrome.com/extensions/contentSecurityPolicy.

Subtasks

Related issues

Related to Tails - Bug #13450: Implement CSP HTTP header Rejected 2017-07-10
Related to Tails - Bug #16078: Download page is not refreshed when verification extension is installed Resolved 2018-10-27

History

#1 Updated by sajolida 2017-12-22 18:32:45

  • Assignee changed from sajolida to uzairfarooq

#2 Updated by uzairfarooq 2017-12-28 07:20:50

  • Assignee changed from uzairfarooq to sajolida
  • QA Check set to Ready for QA

#3 Updated by sajolida 2018-01-17 17:04:56

  • Status changed from Confirmed to In Progress
  • Assignee changed from sajolida to uzairfarooq
  • QA Check changed from Ready for QA to Info Needed

Reference document for Content Security Policy (CSP):

https://w3c.github.io/webappsec-csp/#directives-fetch

CSP in the context of Chrome:

https://developer.chrome.com/extensions/contentSecurityPolicy

Your commit is 071add2.

  • “default-src ‘none’” means not allowing fetching anything by default which is the most restrictive option so that looks good.
  • I tried to remove “script-src ‘self’” and test the extension locally and the extension still worked. What do we need it for? How did you test that?

My diff:

-  "content_security_policy": "default-src 'none';script-src 'self';"
+  "content_security_policy": "default-src 'none'"

#4 Updated by Anonymous 2018-01-19 15:57:10

  • related to Bug #13450: Implement CSP HTTP header added

#5 Updated by anonym 2018-01-23 19:52:41

  • Target version changed from Tails_3.5 to Tails_3.6

#6 Updated by uzairfarooq 2018-01-26 13:27:40

  • Status changed from In Progress to Fix committed
  • Assignee changed from uzairfarooq to sajolida
  • QA Check changed from Info Needed to Ready for QA

I added ‘script self’ in case we want to load scripts from within the extension in future. I’ve removed that too now.

#7 Updated by sajolida 2018-01-31 15:20:28

  • Status changed from Fix committed to Resolved
  • Assignee deleted (sajolida)
  • QA Check deleted (Ready for QA)

Looks good to me!

#8 Updated by intrigeri 2018-03-01 07:27:35

  • Subject changed from Apply a more restrictive CSP to Apply a more restrictive CSP in Verification Extension

(This got me confused, thinking our website’s CSP had been improved via this ticket, which is not the case.)

#9 Updated by Anonymous 2018-11-14 11:17:22

  • related to Bug #16078: Download page is not refreshed when verification extension is installed added