Working on CSP bug…cont’d

Posted: January 25, 2014 in Programming
Tags: , ,

Welcome to Friday evening. I am writing to tell you a little bit more following up my previous post about my involvement with Mozilla, CSP and bug fixes. Starting this week I pushed to the master/webmaker.org my fix on CSP. Shortly after that, my code has been reviewed by Jon (my thanks for his patience and help), and I got some comments on my work. Basically:

  • I did a weird mistake, implemented CSP only on index page, but I should have done it to the whole webmaker.org. Fixed add to app.js: app.use(middleware.addCSP());
  • The img-src attribute of CSP should be set to "*", because application uses images from many locations. Fixed
  • Removed not needed comments. Fixed
  • Include hosts as allowed sources for CSP, not each domain. E.g.
    module.exports.addCSP = function(options) {
      return hood.csp({ //module for CSP
        headers: [
          "Content-Security-Policy-Report-Only"
        ],
        policy: {
          'default-src': ["'self'","https://mozorg.cdn.mozilla.net",//host
    ...
    

    Fixed

  • More testing needed.Done – remove more inline script/style tags and tested in different browsers.

Found Google Map eval function, which is violated by CSP. Not Fixed – Can be?!

Basically, CSP does not allow functions use eval or new function(). I test webmakers Events page, and there are a lot of eval uses inside the Google Map API. Jon forwarded to me the follow up on google bug page -> . Some of the responses say that using other Map API could be a solution, but not for all cases. Google Map API is good, but has some problems as well. Maybe to recode some of the functions inside the google code ?! Will it work?
Other than that, I am really excited with this opportunity to contribute to Open Source community and hopefully I will make it more efficient in a reasonable time. Also thanks to Dave, Cade in IRC 🙂

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s