security - CSP in Firefox 20.0: default-src none -


i have problem content security policy in firefox. basic code:

<?php include_once 'corepolicies/csp.php'; ?> <!doctype html> <html>     <head>         <meta http-equiv="content-type" content="text/html; charset=utf-8">         <script src="http://code.jquery.com/jquery-1.9.1.js"></script>         <script src="scripts/script.js"></script>         <link href="style/style.css" rel="stylesheet" type="text/css"/>     </head>     <body>         <form id="formtest" method="post" action="index.php">             <input type="text" name="gettext"/>             <input type="submit" value="insert"/>         </form>         <div id="indataform">             <?php                 if(isset($_post['gettext'])){                     echo $_post['gettext'];                 }             ?>         </div>         <script src="listeners/listener.js"></script>     </body> </html>

this simple code in php submit data; , php file set csp header

<?php  $rule = "default-src 'none'; ";  $rule .= "script-src ".         "http://localhost/csp/scripts/script.js ".         "http://localhost/csp/listeners/listener.js ".         "http://code.jquery.com/jquery-1.9.1.js; ";  $rule .= "style-src http://localhost/csp/style/style.css;";  foreach (array("x-webkit-csp", "x-content-security-policy", "content-security-policy") $csp){     header($csp . ": " . $rule); }  ?>

when try load web page on chrome works fine, under ie, when run on firefox, doesn't apply csp properly. says scripts , styles violate csp script-src='none' , style-src='none'. doesn't see rule script-src , style-src , don't know why.

can me please? i'm using firefox 20.0

i think found solution. tried make change code , i've found interesting in way firefox use csp. seems browser can't verify source of file (like jss or css files, or jquery js file). works source domain, 'self' scripts , style, , http://code.jquery.com jquery. i've done set control client's user agent and, if firefox 22.0 or lower, use header:

x-content-security-policy: default-src 'none'; script-src 'self' http://code.jquery.com; style-src 'self';

and works fine :) worried inline scripts, firefox disables inline scripts default when use csp header.

so code one:

<?php function isfirefox(){     $browser = $_server['http_user_agent'];     $pos = strpos($browser, "firefox");     if($pos){         $pos = strpos($browser, "/", $pos);         $version = substr($browser, $pos, 4);         $version = intval($version);         if($version <= 22) return true;         else return false;     } }  $rule = "default-src 'none'; ";  $rule .= "script-src ".         "http://localhost/scripts/script.js ".         "http://localhost/listeners/listener.js ".         "http://code.jquery.com/jquery-1.9.1.js; ";  $rule .= "style-src http://localhost/style/style.css;";  if(isfirefox()){     $rule = "default-src 'none'; script-src 'self' http://code.jquery.com; style-src 'self';"; }  foreach (array("x-webkit-csp", "x-content-security-policy", "content-security-policy") $csp){     header($csp . ": " . $rule); } ?>

of course proof, it's not portable or else, if has same problem think :-)


Comments

Post a Comment

Popular posts from this blog

curl - PHP fsockopen help required -

i trying work on cloudflare api , have found in documentation. unfortunately have no idea how can use in fsockopen or through curl. here example of post request. need know how can make request below data post using curl or fsockopen curl https://www.cloudflare.com/api_json.html -d 'a=cache_lvl' \ -d 'tkn=8afbe6dea02407989af4dd4c97bb6e25' \ -d 'email=sample@example.com' \ -d 'z=example.com' \ -d 'v=agg' here link cloudflare https://www.cloudflare.com/docs/client-api.html#s4.2 try one: $ch = curl_init("https://www.cloudflare.com/api_json.html"); curl_setopt($ch, curlopt_returntransfer,1); curl_setopt($ch, curlopt_followlocation, 1); curl_setopt($ch, curlopt_ssl_verifypeer,false); // handling of -d curl parameter here. $param = array( 'a' => 'cache_lvl', 'tkn' => '8afbe6dea02407989af4dd4c97bb6e25', 'email' => 'sample@example.com', 'z' =...
Read more

HTTP/1.0 407 Proxy Authentication Required PHP -

i working in restricted network/limited access internet. since have use proxy make web service call. here php code calling web service , response . $client = new soapclient("http: //www.xyz.com/abc/wsdls/login.wsdl", array("trace" => 1, "exceptions" => 1, 'proxy_host' => $proxy_host, 'proxy_port' => $proxy_port, 'proxy_login' => $proxy_login, 'proxy_password' => $proxy_password)); response is fatal error: uncaught soapfault exception: [wsdl] soap-error: parsing wsdl: couldn't load ' http://www.xyz.com/abc/wsdls/login.wsdl ' : failed load external entity if copy url error message , paste in browser(with same proxy settings) works. 2nd scenario is, if pass values instead of variables giving me diffarant response $client = new soapclient("http: //www.xyz.com/abc/wsdls/login.wsdl", array("trace" => 1, "exceptions" => 1, 'proxy_host' ...
Read more

c# - Resource not found error -

i have problem accessing method on homecontroller. show code of method : [httpget] public actionresult decriptidentifiantetredirige(string login_crypter, string mdp_crypter) { string loginacrypter = _globalmanager.protegemotdepasse(login_crypter); string mdpacrypter = _globalmanager.protegemotdepasse(mdp_crypter); user userapp = new models.user(login_crypter, mdp_crypter); if (userapp.authentificationvalidee(userapp.userlogin, userapp.password)) { session["name"] = userapp.userlogin; return redirecttoaction("accueil", "home"); } else { return redirecttoaction("validerauthentification", "home"); } } then in routeconfig.cs wrote route : routes.maproute( name: "authentificationapresdecryptage", url: "{controller}/{action}/{login_crypter}/{mdp_crypter}", defaults: new...
Read more