Hi Jeremy, it seems from your other post like you have discovered that CSP is implemented as an nsIContentPolicy and uses shouldLoad to check if things should be allowed based on the specific policy
the header parsing etc is done in nsDocument::InitCSP(nsIChannel* aChannel) in nsDocument.cpp inline scripts/eval and inline styles (once bug 763879 is finished) are blocked via a different mechanism, by checking the CSP's allowsInlineScript and allowsEval attributes. something like http://mxr.mozilla.org/mozilla-central/search?string=allowsInlineScript will help you find the places that for allowing inline script is checked, for example. cheers, ian ----- Original Message ----- From: "jeremy ralegh" <[email protected]> To: [email protected] Sent: Saturday, March 16, 2013 5:53:26 AM Subject: Way of CSP code in FF Hello, after reading through many lines of code to understand CSP implementation in FF I'm still a bit confused. How exactly is the code flow when one opens a web site in FF that uses a CSP policy? I mean, I've checked files like contentSecurityPolicy.js, CSPUtils.jsm, nsIContentPolicy.h and several more, but I still don't get it right. Do you know of any helpful documentation, scheme, comment or whatsoever that helps understanding better, how FF - recognizes a CSP policy - checks the policy values - uses functionality to block certain elements (in detail) - handles inline scripts? I've read all the "theoretical" papers on W3C, Mozilla, etc. I could get my hands on, but in fact I've found very little that describes the FF implementation of CSP more detailled. Any idea friends? Best Regards, Jeremy _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
