Closed Bug 1146596 Opened 9 years ago Closed 9 years ago

Apply a content security policy to the reader view content that we serve

Categories

(Firefox for iOS :: Reader View, defect)

x86
macOS
defect
Not set
normal

Tracking

()

RESOLVED FIXED
Tracking Status
fennec + ---
fxios + ---

People

(Reporter: st3fan, Assigned: st3fan)

References

Details

Attachments

(1 file)

Apply a CSP header to the /reader-mode/page endpoint that serves readability content. The policy can simply disallow embedded scripts, css, iframes and xhr. I think the only thing that should be allowed now are remote images.
tracking-fennec: --- → ?
tracking-fennec: ? → +
This patch sets a *Content Security Policy* on pages served for Reading View. I've broken the patch down in small changes.

The policy that we set is as follows:

> `default-src 'none'; img-src *; style-src http://localhost:*; font-src http://localhost:*`

This allows nothing by default. (No script, no inline, no objects, no iframes). And then makes an exception for styles and fonts to be loaded from localhost.
Attachment #8622510 - Flags: review?(sleroux)
Attachment #8622510 - Flags: review?(mgoodwin)
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Comment on attachment 8622510 [details] [review]
PR: https://github.com/mozilla/firefox-ios/pull/602

Looks good to me.
Attachment #8622510 - Flags: review?(mgoodwin) → review+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: