From b5b06626e1cdb4b8475d11059c380bb4ca6a31f0 Mon Sep 17 00:00:00 2001 From: Rohan Kumar Date: Thu, 10 Nov 2022 18:36:19 -0800 Subject: [PATCH] Support disabling sandbox altogether --- content/meta/csp-bug-reproduction.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/content/meta/csp-bug-reproduction.md b/content/meta/csp-bug-reproduction.md index 885de01..4b26c84 100644 --- a/content/meta/csp-bug-reproduction.md +++ b/content/meta/csp-bug-reproduction.md @@ -63,12 +63,15 @@ Some browser software breaks upon encountering strict CSPs. It's di Try reproducing the bug on the following pages: 1. [This page's canonical location](https://seirdy.one/meta/csp-bug-reproduction/) -2. [My homepage](https://seirdy.one/) -3. My 404 page +2. [This page again, but with a `sandbox` query parameter](https://seirdy.one/meta/csp-bug-reproduction/?sandbox=0) +3. [My homepage](https://seirdy.one/) +4. My 404 page Note the following: -- If you can reproduce the bug on all three pages: the offending directive is probably a fetch directive. +- If you can reproduce the bug on all four pages: the offending directive is probably a fetch directive. + +- If you can reproduce the bug on all pages _except_ the second (this page with the query parameter): the offending directive is probably a `sandbox` directive, even if it contains `allow-same-origin` and `allow-scripts`. - If you can _not_ reproduce the bug on this page, but _can_ reproduce the bug on my homepage and my 404 page: the offending directive is a `sandbox` directive that blocks scripts (no `allow-scripts` present).