Rietveld Code Review Tool
Help | Bug tracker | Discussion group | Source code | Sign in
(33)

Issue 29590611: Issue 5953 - Bypass site CSP for script injection in Firefox (Closed)

Can't Edit
Can't Publish+Mail
Start Review
Created:
6 months, 3 weeks ago by tschuster
Modified:
2 months, 4 weeks ago
Visibility:
Public.

Description

Issue 5953 - Bypass site CSP for script injection in Firefox

Patch Set 1 #

Patch Set 2 : Actually inject the right code #

Total comments: 1

Patch Set 3 : #

Total comments: 2

Patch Set 4 : Add comment #

Unified diffs Side-by-side diffs Delta from patch set Stats (+6 lines, -1 line) Patch
M inject.preload.js View 1 2 3 1 chunk +6 lines, -1 line 0 comments Download

Messages

Total messages: 18
tschuster
6 months, 3 weeks ago (2017-10-27 15:54:56 UTC) #1
Manish Jethani
Unfortunately this doesn't seem to work. You can put an alert in the injected function ...
6 months, 3 weeks ago (2017-10-27 17:56:59 UTC) #2
Manish Jethani
This doesn't work because of "script-src assets-cdn.github.com" in the header. It can only load scripts ...
6 months, 3 weeks ago (2017-10-27 18:08:53 UTC) #3
tschuster
On 2017/10/27 18:08:53, Manish Jethani wrote: > This doesn't work because of "script-src assets-cdn.github.com" in ...
6 months, 3 weeks ago (2017-10-27 19:11:53 UTC) #4
Manish Jethani
On 2017/10/27 19:11:53, tschuster wrote: > On 2017/10/27 18:08:53, Manish Jethani wrote: > > This ...
6 months, 3 weeks ago (2017-10-27 20:18:56 UTC) #5
Manish Jethani
By the way, since this is a change in adblockpluschrome, you should include both Sebastian ...
6 months, 3 weeks ago (2017-10-27 20:19:47 UTC) #6
tschuster
Interesting, I never realized that application/javascript is the official MIME type. Added the reviewers.
6 months, 2 weeks ago (2017-11-03 18:18:47 UTC) #7
Sebastian Noack
What if the CSP doesn't allow blob: URLs?
6 months, 2 weeks ago (2017-11-03 20:56:55 UTC) #8
tschuster
On 2017/11/03 20:56:55, Sebastian Noack wrote: > What if the CSP doesn't allow blob: URLs? ...
6 months, 2 weeks ago (2017-11-03 20:58:12 UTC) #9
Sebastian Noack
On 2017/11/03 20:58:12, tschuster wrote: > On 2017/11/03 20:56:55, Sebastian Noack wrote: > > What ...
6 months, 2 weeks ago (2017-11-03 21:12:06 UTC) #10
Sebastian Noack
https://codereview.adblockplus.org/29590611/diff/29596693/inject.preload.js File inject.preload.js (right): https://codereview.adblockplus.org/29590611/diff/29596693/inject.preload.js#newcode402 inject.preload.js:402: let blob = new Blob([code]); Nit: At least this ...
6 months, 2 weeks ago (2017-11-03 21:12:16 UTC) #11
kzar
https://codereview.adblockplus.org/29590611/diff/29596693/inject.preload.js File inject.preload.js (right): https://codereview.adblockplus.org/29590611/diff/29596693/inject.preload.js#newcode402 inject.preload.js:402: let blob = new Blob([code]); On 2017/11/03 21:12:15, Sebastian ...
6 months, 2 weeks ago (2017-11-06 11:32:51 UTC) #12
tschuster
On 2017/11/06 11:32:51, kzar wrote: > https://codereview.adblockplus.org/29590611/diff/29596693/inject.preload.js > File inject.preload.js (right): > > https://codereview.adblockplus.org/29590611/diff/29596693/inject.preload.js#newcode402 > ...
6 months ago (2017-11-17 14:49:03 UTC) #13
kzar
LGTM
6 months ago (2017-11-17 15:07:27 UTC) #14
Manish Jethani
LGTM
6 months ago (2017-11-17 15:11:09 UTC) #15
Manish Jethani
This issue can be closed now.
3 months, 2 weeks ago (2018-02-01 11:17:02 UTC) #16
Manish Jethani
On 2018/02/01 11:17:02, Manish Jethani wrote: > This issue can be closed now. This issue ...
2 months, 4 weeks ago (2018-02-21 14:52:59 UTC) #17
tschuster
2 months, 4 weeks ago (2018-02-21 18:27:13 UTC) #18
Message was sent while issue was closed.
On 2018/02/21 14:52:59, Manish Jethani wrote:
> On 2018/02/01 11:17:02, Manish Jethani wrote:
> > This issue can be closed now.
> 
> This issue still appears in my list of incoming reviews. Tom, can you close
this
> please? I can't edit it.

Sorry, closed it.
Sign in to reply to this message.

Powered by Google App Engine
RSS Feeds Recent Issues | This issue
This is Rietveld 87257f5