mirror of
https://git.sr.ht/~seirdy/seirdy.one
synced 2024-11-23 21:02:09 +00:00
Introduce sandbox=strict
This commit is contained in:
parent
98b4b86156
commit
1edaaf58bb
1 changed files with 3 additions and 2 deletions
|
@ -68,16 +68,17 @@ Try reproducing the bug on the following pages:
|
||||||
2. [This page's canonical location](https://seirdy.one/meta/csp-bug-reproduction/).
|
2. [This page's canonical location](https://seirdy.one/meta/csp-bug-reproduction/).
|
||||||
3. [My homepage](https://seirdy.one/)
|
3. [My homepage](https://seirdy.one/)
|
||||||
4. [This page, but with an empty `sandbox` directive](https://seirdy.one/meta/csp-bug-reproduction/?sandbox=strict)
|
4. [This page, but with an empty `sandbox` directive](https://seirdy.one/meta/csp-bug-reproduction/?sandbox=strict)
|
||||||
|
4. [This page, but with a maximally strict CSP that breaks images, CSS, and more](https://seirdy.one/meta/csp-bug-reproduction/?sandbox=broken)
|
||||||
|
|
||||||
Note the following:
|
Note the following:
|
||||||
|
|
||||||
- If you can reproduce the bug on all four pages: the offending directives include a fetch directive.
|
- If you can reproduce the bug on all five pages: the offending directives include a fetch directive.
|
||||||
|
|
||||||
- If you can reproduce the bug on all pages _except_ the third or fourth: the offending directive is probably a `sandbox` directive's `allow-scripts` or `allow-same-origin` parameter, respectively.
|
- If you can reproduce the bug on all pages _except_ the third or fourth: the offending directive is probably a `sandbox` directive's `allow-scripts` or `allow-same-origin` parameter, respectively.
|
||||||
|
|
||||||
- If you can reproduce the bug on the second page but cannot reproduce the bug on the first page, [a different missing `sandbox` parameter](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox) is probably the culprit.
|
- If you can reproduce the bug on the second page but cannot reproduce the bug on the first page, [a different missing `sandbox` parameter](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox) is probably the culprit.
|
||||||
|
|
||||||
- If you can only reproduce the bug on my 404 page: the offending directive is `sandbox` without `allow-same-origin`.
|
- If you can only reproduce the fourth and fifth page: the offending directive is `sandbox` without `allow-same-origin`.
|
||||||
|
|
||||||
Other places to test
|
Other places to test
|
||||||
--------------------
|
--------------------
|
||||||
|
|
Loading…
Reference in a new issue