security - CSP in Firefox 20.0: default-src none -


i have problem content security policy in firefox. basic code:

<?php include_once 'corepolicies/csp.php'; ?> <!doctype html> <html>     <head>         <meta http-equiv="content-type" content="text/html; charset=utf-8">         <script src="http://code.jquery.com/jquery-1.9.1.js"></script>         <script src="scripts/script.js"></script>         <link href="style/style.css" rel="stylesheet" type="text/css"/>     </head>     <body>         <form id="formtest" method="post" action="index.php">             <input type="text" name="gettext"/>             <input type="submit" value="insert"/>         </form>         <div id="indataform">             <?php                 if(isset($_post['gettext'])){                     echo $_post['gettext'];                 }             ?>         </div>         <script src="listeners/listener.js"></script>     </body> </html>

this simple code in php submit data; , php file set csp header

<?php  $rule = "default-src 'none'; ";  $rule .= "script-src ".         "http://localhost/csp/scripts/script.js ".         "http://localhost/csp/listeners/listener.js ".         "http://code.jquery.com/jquery-1.9.1.js; ";  $rule .= "style-src http://localhost/csp/style/style.css;";  foreach (array("x-webkit-csp", "x-content-security-policy", "content-security-policy") $csp){     header($csp . ": " . $rule); }  ?>

when try load web page on chrome works fine, under ie, when run on firefox, doesn't apply csp properly. says scripts , styles violate csp script-src='none' , style-src='none'. doesn't see rule script-src , style-src , don't know why.

can me please? i'm using firefox 20.0

i think found solution. tried make change code , i've found interesting in way firefox use csp. seems browser can't verify source of file (like jss or css files, or jquery js file). works source domain, 'self' scripts , style, , http://code.jquery.com jquery. i've done set control client's user agent and, if firefox 22.0 or lower, use header:

x-content-security-policy: default-src 'none'; script-src 'self' http://code.jquery.com; style-src 'self';

and works fine :) worried inline scripts, firefox disables inline scripts default when use csp header.

so code one:

<?php function isfirefox(){     $browser = $_server['http_user_agent'];     $pos = strpos($browser, "firefox");     if($pos){         $pos = strpos($browser, "/", $pos);         $version = substr($browser, $pos, 4);         $version = intval($version);         if($version <= 22) return true;         else return false;     } }  $rule = "default-src 'none'; ";  $rule .= "script-src ".         "http://localhost/scripts/script.js ".         "http://localhost/listeners/listener.js ".         "http://code.jquery.com/jquery-1.9.1.js; ";  $rule .= "style-src http://localhost/style/style.css;";  if(isfirefox()){     $rule = "default-src 'none'; script-src 'self' http://code.jquery.com; style-src 'self';"; }  foreach (array("x-webkit-csp", "x-content-security-policy", "content-security-policy") $csp){     header($csp . ": " . $rule); } ?>

of course proof, it's not portable or else, if has same problem think :-)


Comments

Post a Comment

Popular posts from this blog

php - get table cell data from and place a copy in another table -

two-part question: have 2 tables: 1 table items , other table selected items copied when add button clicked. after, when items wanted selected, there 'finished' button post items selected db. i started javascript didn't far @ because jquery seems better suited i'm not familiar it function addto() { var div = document.getelementbyid('fixeddiv','inside'); div.innerhtml = div.innerhtml + 'item added'; } <div id='fixeddiv'> <table align="center" id="tradee"> <th rowspan="2"> other item</th> <?php while($rowi =$item->fetch_assoc()) {?> <tr> <td> <?php echo $rowi['item_name']; ?> </td> <td><?php echo $rowi['item_description'];?></td> </tr> <?php } ?> </table> <br> <table align="center" id="tradetable"
Read more

javascript - Mootools wait with Fx.Morph start -

i trying var effect = new fx.morph(testmorph, { wait/delay 2 seconds before starting. ( fiddle here ) but when try .wait(2000) or .delay(2000) , or .wait(2000, effect) uncaught typeerror: object [object object] has no method 'delay' any ideas how working? code i'm using: var testmorph = document.id('testmorph'); var effect = new fx.morph(testmorph, { transition: 'back:out', duration: 900, link: 'chain' }).start({ 'top': 20, 'opacity': 1 }).start({ 'border-color': '#a80025', 'color': '#a80025' }); effect.delay(2000); you can use combination of chain() , delay() achieve desired effect. new fx.morph(testmorph, { transition: 'back:out', duration: 900, link: 'chain' }).start().chain(function(){ this.start.delay(2000,effect,{ //first }); }).chain(function(){ this.start({ //second }); }); the
Read more

php - Navigate throught databse rows -

i run image hosting site, , ive run problem. want make 2 buttons beside pic "next image" , "prev image". im new php/mysql , haveing troubles. check out got. use id (numbers) find correct row, have image name build next link. how make below query next , prev image names + ids? $query_next = ("select imageid, image_name images image_name = '$image_main' order imageid desc limit 1"); $query_prev = ("select imageid, image_name images image_name = '$image_main' order imageid asc limit 1"); // next $next = mysql_query($query_next); // prev $prev = mysql_query($query_prev); while ($row = mysql_fetch_assoc($next)) { $next = $row['image_name']; } while ($row = mysql_fetch_assoc($prev)) { $prev = $row['image_name']; } the html = > simple stuff. <a href="http://mysite.com/view_image/<?=$next?>">next image</a> <a href="http://mysite.com/view_image/<?=$pr
Read more