Feature #15060
Apply a more restrictive CSP in Verification Extension
Start date:
2017-12-14
Due date:
% Done:
0%
Subtasks
Related issues
Related to Tails - |
Rejected | 2017-07-10 | |
Related to Tails - |
Resolved | 2018-10-27 |
History
#1 Updated by sajolida 2017-12-22 18:32:45
- Assignee changed from sajolida to uzairfarooq
#2 Updated by uzairfarooq 2017-12-28 07:20:50
- Assignee changed from uzairfarooq to sajolida
- QA Check set to Ready for QA
#3 Updated by sajolida 2018-01-17 17:04:56
- Status changed from Confirmed to In Progress
- Assignee changed from sajolida to uzairfarooq
- QA Check changed from Ready for QA to Info Needed
Reference document for Content Security Policy (CSP):
https://w3c.github.io/webappsec-csp/#directives-fetch
CSP in the context of Chrome:
https://developer.chrome.com/extensions/contentSecurityPolicy
Your commit is 071add2.
- “default-src ‘none’” means not allowing fetching anything by default which is the most restrictive option so that looks good.
- I tried to remove “script-src ‘self’” and test the extension locally and the extension still worked. What do we need it for? How did you test that?
My diff:
- "content_security_policy": "default-src 'none';script-src 'self';"
+ "content_security_policy": "default-src 'none'"
#4 Updated by Anonymous 2018-01-19 15:57:10
- related to
Bug #13450: Implement CSP HTTP header added
#5 Updated by anonym 2018-01-23 19:52:41
- Target version changed from Tails_3.5 to Tails_3.6
#6 Updated by uzairfarooq 2018-01-26 13:27:40
- Status changed from In Progress to Fix committed
- Assignee changed from uzairfarooq to sajolida
- QA Check changed from Info Needed to Ready for QA
I added ‘script self’ in case we want to load scripts from within the extension in future. I’ve removed that too now.
#7 Updated by sajolida 2018-01-31 15:20:28
- Status changed from Fix committed to Resolved
- Assignee deleted (
sajolida) - QA Check deleted (
Ready for QA)
Looks good to me!
#8 Updated by intrigeri 2018-03-01 07:27:35
- Subject changed from Apply a more restrictive CSP to Apply a more restrictive CSP in Verification Extension
(This got me confused, thinking our website’s CSP had been improved via this ticket, which is not the case.)
#9 Updated by Anonymous 2018-11-14 11:17:22
- related to
Bug #16078: Download page is not refreshed when verification extension is installed added