Replaced references to Firefox with Mozilla

This commit is contained in:
dcollazo 2013-02-11 15:21:52 -08:00
Родитель 03fa2f75ad
Коммит 8d6142d112
1 изменённых файлов: 13 добавлений и 13 удалений

Просмотреть файл

@ -44,7 +44,7 @@ This gem makes a few assumptions about how you will use some features. For exam
* It adds 'chrome-extension:' to your CSP directives by default. This helps drastically reduce the amount of reports, but you can also disable this feature by supplying :disable_chrome_extension => true. * It adds 'chrome-extension:' to your CSP directives by default. This helps drastically reduce the amount of reports, but you can also disable this feature by supplying :disable_chrome_extension => true.
* It fills any blank directives with the value in :default_src Getting a default\-src report is pretty useless. This way, you will always know what type of violation occurred. You can disable this feature by supplying :disable_fill_missing => true. * It fills any blank directives with the value in :default_src Getting a default\-src report is pretty useless. This way, you will always know what type of violation occurred. You can disable this feature by supplying :disable_fill_missing => true.
* It copies the connect\-src value to xhr\-src for AJAX requests. * It copies the connect\-src value to xhr\-src for AJAX requests.
* Firefox does not support cross\-origin CSP reports. If we are using Firefox, AND the value for :report_uri does not satisfy the same\-origin requirements, we will instead forward to an internal endpoint (the forward_endpoint value or FF_CSP_ENDPOINT). This is also the case if :report_uri only contains a path, which we assume will be cross host. This endpoint will in turn forward the request to the value in :report_uri without restriction. More information can be found in the "Note on Firefox handling of CSP" section. * Mozilla does not support cross\-origin CSP reports. If we are using Mozilla, AND the value for :report_uri does not satisfy the same\-origin requirements, we will instead forward to an internal endpoint (the forward_endpoint value or FF_CSP_ENDPOINT). This is also the case if :report_uri only contains a path, which we assume will be cross host. This endpoint will in turn forward the request to the value in :report_uri without restriction. More information can be found in the "Note on Mozilla handling of CSP" section.
## Configuration ## Configuration
@ -97,9 +97,9 @@ header will be constructed using the supplied options.
### Content Security Policy (CSP) ### Content Security Policy (CSP)
All browsers will receive the webkit csp header except Firefox, which gets its own header. All browsers will receive the webkit csp header except Mozilla, which gets its own header.
See [WebKit specification](http://www.w3.org/TR/CSP/) See [WebKit specification](http://www.w3.org/TR/CSP/)
and [Firefox CSP specification](https://wiki.mozilla.org/Security/CSP/Specification) and [Mozilla CSP specification](https://wiki.mozilla.org/Security/CSP/Specification)
```ruby ```ruby
:csp => { :csp => {
@ -168,7 +168,7 @@ and [Firefox CSP specification](https://wiki.mozilla.org/Security/CSP/Specificat
} }
# Chrome # Chrome
> "default-src 'unsafe-inline' 'unsafe-eval' https://* chrome-extension:; report-uri /uri-directive;" > "default-src 'unsafe-inline' 'unsafe-eval' https://* chrome-extension:; report-uri /uri-directive;"
# Firefox # Mozilla
> "options inline-script eval-script; allow https://*; report-uri /uri-directive;" > "options inline-script eval-script; allow https://*; report-uri /uri-directive;"
# turn off inline scripting/eval # turn off inline scripting/eval
@ -178,7 +178,7 @@ and [Firefox CSP specification](https://wiki.mozilla.org/Security/CSP/Specificat
} }
# Chrome # Chrome
> "default-src https://*; report-uri /uri-directive;" > "default-src https://*; report-uri /uri-directive;"
# Firefox # Mozilla
> "allow https://*; report-uri /uri-directive;" > "allow https://*; report-uri /uri-directive;"
# Auction site wants to allow images from anywhere, plugin content from a list of trusted media providers (including a content distribution network), and scripts only from its server hosting sanitized JavaScript # Auction site wants to allow images from anywhere, plugin content from a list of trusted media providers (including a content distribution network), and scripts only from its server hosting sanitized JavaScript
@ -191,21 +191,21 @@ and [Firefox CSP specification](https://wiki.mozilla.org/Security/CSP/Specificat
} }
# Chrome # Chrome
"default-src 'self'; img-src *; object-src media1.com media2.com *.cdn.com; script-src trustedscripts.example.com;" "default-src 'self'; img-src *; object-src media1.com media2.com *.cdn.com; script-src trustedscripts.example.com;"
# Firefox # Mozilla
"allow 'self'; img-src *; object-src media1.com media2.com *.cdn.com; script-src trustedscripts.example.com;" "allow 'self'; img-src *; object-src media1.com media2.com *.cdn.com; script-src trustedscripts.example.com;"
``` ```
## Note on Firefox handling of CSP ## Note on Mozilla handling of CSP
Currently, Firefox does not support the w3c draft standard. So there are a few steps taken to make the two interchangeable. Currently, Mozilla does not support the w3c draft standard. So there are a few steps taken to make the two interchangeable.
Firefox > 18 partially supports the standard via using the default\-src directive over allow/options, but the following inconsistencies remain. Mozilla > 18 partially supports the standard via using the default\-src directive over allow/options, but the following inconsistencies remain.
* inline\-script or eval\-script values in default/style/script\-src directives are moved to the options directive. Note: the style\-src directive is not fully supported in Firefox \- see https://bugzilla.mozilla.org/show_bug.cgi?id=763879. * inline\-script or eval\-script values in default/style/script\-src directives are moved to the options directive. Note: the style\-src directive is not fully supported in Mozilla \- see https://bugzilla.mozilla.org/show_bug.cgi?id=763879.
* CSP reports will not POST cross\-origin. This sets up an internal endpoint in the application that will forward the request. Set the "forward_endpoint" value in the CSP section if you need to post cross origin for firefox. * CSP reports will not POST cross\-origin. This sets up an internal endpoint in the application that will forward the request. Set the "forward_endpoint" value in the CSP section if you need to post cross origin for firefox.
* Firefox adds port numbers to each /https?/ value which can make local development tricky with mocked services. Add environment specific code to configure this. * Mozilla adds port numbers to each /https?/ value which can make local development tricky with mocked services. Add environment specific code to configure this.
### Adding the Firefox report forwarding endpoint ### Adding the Mozilla report forwarding endpoint
**You need to add the following line to the TOP of confib/routes.rb** **You need to add the following line to the TOP of confib/routes.rb**
**This is an unauthenticated, unauthorized endpoint. Only do this if your report\-uri is not on the same origin as your application!!!** **This is an unauthenticated, unauthorized endpoint. Only do this if your report\-uri is not on the same origin as your application!!!**
@ -308,7 +308,7 @@ end
## Acknowledgements ## Acknowledgements
* Justin Collins [@presidentbeef](https://twitter.com/presidentbeef) & Jim O'Leary [@jimio](https://twitter.com/jimio) for reviews. * Justin Collins [@presidentbeef](https://twitter.com/presidentbeef) & Jim O'Leary [@jimio](https://twitter.com/jimio) for reviews.
* Ian Melven [@imelven](https://twitter.com/imelven) - Discussions/info about CSP in general, made us aware of the [userCSP](https://addons.mozilla.org/en-US/firefox/addon/newusercspdesign/) Firefox extension. * Ian Melven [@imelven](https://twitter.com/imelven) - Discussions/info about CSP in general, made us aware of the [userCSP](https://addons.mozilla.org/en-US/firefox/addon/newusercspdesign/) Mozilla extension.
* Sumit Shah [@omnidactyl](https://twitter.com/omnidactyl) - For being an eager guinea pig. * Sumit Shah [@omnidactyl](https://twitter.com/omnidactyl) - For being an eager guinea pig.
* Chris Aniszczyk [@cra](https://twitter.com/cra) - For running an awesome open source program at Twitter. * Chris Aniszczyk [@cra](https://twitter.com/cra) - For running an awesome open source program at Twitter.