Closed Bug 1527651 Opened 5 years ago Closed 5 years ago

Update Content Security Policy when injecting deterministic js in raptor tp6 recordings

Categories

(Testing :: Raptor, enhancement, P3)

Product:
Testing
Component:
Raptor
Version:
Version 3
Type:
enhancement

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: Bebe, Unassigned)

References

Details

When injecting js code in raptor mitmproxy recordings we might trigger Content Security Policy

We need to update this policy when injecting code to make sure the js code gets executed properly

WPR is doing this when they are injecting js code:
https://github.com/catapult-project/catapult/blob/master/web_page_replay_go/src/webpagereplay/transformers.go#L336

The code that injects js in our recordings:
https://github.com/davehunt/raptor-studio/blob/master/scripts/inject-deterministic.py

Priority: -- → P3

One way to fix this is to disable CSP when running raptor tests

We can set "security.csp.enable": false in Firefox for example
for chrome: https://peter.sh/experiments/chromium-command-line-switches/#allow-running-insecure-content

Flags: needinfo?(rwood)
Flags: needinfo?(dave.hunt)

:vchin we are injecting the deterministic JavaScript into our page load recordings now, and have seen an issue with sites use CSP (Content Security Policy). The webpagereplay tool replaces any CSP headers to allow the injected script. We can either implement a similar solution into our mitmproxy script, or as :bebe suggests we can disable CSP in Firefox/Chromium.

Could your team help to determine which of these is preferable? Disabling CSP is much easier, but is there an expected impact on performance, rendering our page load tests less useful? Note that fixing this via a mitmproxy script will necessitate recording page loads again with the new script injected.

Flags: needinfo?(vchin)
Flags: needinfo?(rwood)
Flags: needinfo?(dave.hunt)

I fallowed the wpr work and migrated it to mitmproxy.
Implemented here: https://github.com/davehunt/raptor-studio/pull/9

If you know any CSP websites or tests please let me know I want to test the implementation

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Blocks: 1527280

Sorry for being late getting to this but it seems like we've resolved the issue in question. Please let me know if there is anything else you need from me!

Flags: needinfo?(vchin)
You need to log in before you can comment on or make changes to this bug.