SummerOfCode/2012/UserCSP/WeeklyUpdates/2012-08-13
From MozillaWiki
< SummerOfCode | 2012 | UserCSP
« previous week | index | next week »
Contents
This Week
Monday, 13 August
- UserCSP Project report preparation. Project report contains, goal and objectives of the project, functionality and how it works, and technical details of the project.
Tuesday, 14 August
- Intercepted "shouldLoad" method of nsIContentPolicy interface.
- The nsIContentPolicy interface is useful to observe content that is being loaded into browser.
- The "shouldLoad" method of this interface will be called before loading the resource to determine whether to start the load at all.
- This method is useful to infer the rules for website by observing the contents that are loaded by a web page.
Wednesday, 15 August
- Perform the resource load type check to collect information about the type of load and destination domain of the request.
- To infer CSP directive rules such as, script-src, img-src, etc, I intercepted at "shouldLoad" method of nsIContentPolicy interface. When this method is invoked it provides various information, we are specifically interested in following information:
aContentType : TYPE_IMAGE, TYPE_SCRIPT, TYPE_OBJECT, etc. aContentLocation: It contains destination domain URL where resource is hosted. aRequestOrigin: The domain that initiated this resource load request.
- For example, If request is of TYPE_IMAGE then for "aRequestOrigin", I stored "aContentLocation" URL in "img-src" directive. The entry is only inserted if it doesn't exists in CSP directive to remove duplicates.
Thursday, 16 August
- Inferred policy for a website by observing its resource loading is send to add-on UI component for displaying it in the add-on UI.
** Inferred policy for a website is shown in the "ALL" tab of the add-on UI.
- Automatically inferred policy for a website provides hints for users in configuring CSP directives as well as makes their job easier while configuring a CSP policy for the website.
Friday, 17 August
- Filed a bug on bugzilla.mozilla.org for refinePolicy() method. (Bug 783497)
- Changed the logo of userCSP add-on. Bug 780045 is for content security policy logo. However, the logo is not yet ready so tentatively we used a Shield icon for userCSP add-on.
Saturday, 18 August
- userCSP add-on sqlite database file is now stored in ProfD (profile directory) of Firefox. Previously, it was stored on user's Desk(Desktop).
- Added "Infer CSP" tab to add-on UI.
- Infer policy tab provides three buttons to the user namely, Start, Stop and SetInferredCSPAsUserCSP.
- The "Start" button when clicked starts inferring of a CSP policy for a website and "Stop" button stops automatic inferring of a CSP policy for a website.
- Infer policy tab provides three buttons to the user namely, Start, Stop and SetInferredCSPAsUserCSP.
Sunday, 19 August
- "Help" tab is added to add-on UI and it say "If the website rules appear to be missing for a site that has implemented CSP, try clicking shift-refresh. It may be because the website is cached."
- When a site is loaded from a cache and it has set "X-Content-Security-Policy header, then we don't know how to retrieve its "X-Content-Security-Policy" Header for the website when it is loaded from a cache. Therefore, in such scenario we are not able to display the CSP policy into add-on UI. Whereas shift-refresh causes a site to be loaded from network, so that we can retrieve CSP policy from HTTP header.
- Added "setInferredCSPAsUserCSP" button into "Infer CSP" tab. This feature allows user to set automatically inferred policy for a website as well as allows user to update inferred CSP policy.
- userCSP add-on source code is uploaded on GitHub (https://github.com/patilkr/userCSP)
- Project report is uploaded at (https://wiki.mozilla.org/SummerOfCode/2012/UserCSP/Wiki)