Release #5 CSP in production

Posted: March 23, 2014 in Programming
Tags: , , , , , ,

And finally it happened!!!
CSP in landed to production in and It is a huge win for me and hopefully for webmaker as well. Here are the landed commits: CSP webmaker & CSP goggles. It is in report only mode right now. Everyone can test and see that CSP is there: just go to, open web console and if there is any not known script is trying to access webmaker.
In the nearest future, CSP v1.1 will be more stable and will support all browsers, at that time webmaker team will move to a new version. Also, newrelic got updated recently and new update brought inline scripts to the webmaker project that can not be moved. Because of that, I added 'unsafe-inline' policy to CSP. Hopefully, in the future it will be removed and CSP will do its jobs better.

For Goggles component there was a problem that I found and talked a little bit in my previous blog post, when user pressed “Active X Ray” button, inline script were produced and placed in index.html file, which is a violation to CSP. To solve this problem, I got some help from Jon and the suggestion was to add click handler event to that button, in order to save the href=”link”, so user can add that button to the bookmark and at the same, when user clicking the button the X-Ray view opens. Here is the commit (it was a part of my CSP for goggles) & implementation:

$("#bookmarklet-link").on("click", function(event) {
  var script = document.createElement('script');
  script.src = '/webxray.js';
  script.className = 'webxray';
  script.setAttribute('data-baseuri', hostname + "/"+localeInfo);

Implementing this ‘click’ handler helped to remove the inline script from goggles.

Also, I started to work on removing ‘new Function()’ from Basically, what should be done it instead of making a script string and then eval it, I need to make a popcorn instance manually, step by step. I’m still working on that.

The other bugs I just finished are:

For my next release I’m planning to finish several bugs:

  • Land CSP for Thimble (it’s under review)
  • Finish with popcorn ‘new Function()’
  • Just started to work on GA events for Goggles
  • Also, I just asked if I can pick up a bug, where we need to do autocompletion for location element in the Event component with the CSP in mind – hopefully I will get it.

See you later.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s