Closed
Bug 1146596
Opened 10 years ago
Closed 9 years ago
Apply a content security policy to the reader view content that we serve
Categories
(Firefox for iOS :: Reader View, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: st3fan, Assigned: st3fan)
References
Details
Attachments
(1 file)
Apply a CSP header to the /reader-mode/page endpoint that serves readability content. The policy can simply disallow embedded scripts, css, iframes and xhr. I think the only thing that should be allowed now are remote images.
Assignee | ||
Updated•10 years ago
|
tracking-fennec: --- → ?
Updated•10 years ago
|
tracking-fennec: ? → +
Updated•9 years ago
|
tracking-fxios:
--- → +
Assignee | ||
Comment 1•9 years ago
|
||
This patch sets a *Content Security Policy* on pages served for Reading View. I've broken the patch down in small changes.
The policy that we set is as follows:
> `default-src 'none'; img-src *; style-src http://localhost:*; font-src http://localhost:*`
This allows nothing by default. (No script, no inline, no objects, no iframes). And then makes an exception for styles and fonts to be loaded from localhost.
Attachment #8622510 -
Flags: review?(sleroux)
Attachment #8622510 -
Flags: review?(mgoodwin)
Comment 2•9 years ago
|
||
Comment on attachment 8622510 [details] [review] PR: https://github.com/mozilla/firefox-ios/pull/602 LGTM!
Attachment #8622510 -
Flags: review?(sleroux) → review+
Assignee | ||
Updated•9 years ago
|
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Comment 3•9 years ago
|
||
Comment on attachment 8622510 [details] [review] PR: https://github.com/mozilla/firefox-ios/pull/602 Looks good to me.
Attachment #8622510 -
Flags: review?(mgoodwin) → review+
You need to log in
before you can comment on or make changes to this bug.
Description
•