Welcome Guest Search | Active Topics | Sign In | Register

Essential Objects Product Support Forum » All Products » Support » Circumvent Content Security Policy

Circumvent Content Security Policy Options
Previous Topic · Next Topic
Stefan Koell
Posted: Wednesday, December 17, 2014 6:03:13 AM
Rank: Advanced Member
Groups: Member

Joined: 12/23/2013
Posts: 114
Hi,

I realized, that some web sites set certain http headers (script-src) to prevent script injection using the eval method.

See: http://www.html5rocks.com/en/tutorials/security/content-security-policy/

In this post it seems that a user, reporting a crash caused by this header, requested to stop script execution when the header is set:
http://www.essentialobjects.com/forum/postst8452_EOWebBrowser-This-WebView-has-already-been-destroyed-issue.aspx

So, now it's not possible to use eval to "inject" scripts to web sites and chrome is currently the only browser who "honors" this header (with IE and WebKit/Safari script evals are still possible).

I'm asking if you can somehow circumvent this Content Security Policy. While this policy makes sense in a standalone browser, it's kind of counter productive for a web browser component embedded in an application where the main goal is to automate workflows.

Regards,
Stefan
Back to top
 
eo_support
Posted: Sunday, December 21, 2014 2:59:03 PM
Rank: Administration
Groups: Administration

Joined: 5/27/2007
Posts: 24,196
Hi,

Sorry about the delay. We understand your concern. We have looked into Chrome's source code and there doesn't appear to be anyway to bypass this. Since this is feature is implemented by Chrome browser engine and our product is based on it, we do not feel comfortable with making extensive changes on the engine. If it was a simple switch we would have been able to expose the switch to you, however this does not appear to be case. Sorry about this!

It is however technical possible for us to extend AfterHeaderReceived event to allow you to modify the header collection so that you will be able to remove this header entry in your code. This is not implemented in the current build. The current build does support AfterHeaderReceived event, but the header collection at this stage is read only. We will see if we can remove the read-only restriction. If that is implemented, then you will be able to remove Content-Security-Policy header entry at this stage before it is passed downstream to the core engine.

Thanks!
Back to top
 
Stefan Koell
Posted: Monday, December 22, 2014 5:27:10 AM
Rank: Advanced Member
Groups: Member

Joined: 12/23/2013
Posts: 114
First of all, thank you for looking into it. It's very much appreciated!

I understand that changing the policy handling in the original chrome code may not be desired route but I think the workaround you offer to simply remove the header before the page is loaded/displayed would achieve the same. Please let me know if and when you are going to provide this interface, so that I can do some tests.

Thank you and happy holidays!
Stefan
Back to top
 
eo_support
Posted: Monday, December 22, 2014 9:59:48 AM
Rank: Administration
Groups: Administration

Joined: 5/27/2007
Posts: 24,196
You are very welcome and happy holidays to you too!
Back to top
 


You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.