Setting your Addons CSP
Clearly, a brief post about CSP
This is not something extraordinary, I just consider a good idea to document this problem I have had earlier, starting with Addons in Firefox, and later I propagates to other browser due to my ignoring about this topic.
This happend few months ago, maybe I have standed by this draft and it is already more months or an entire year. Anyways building an Addon for Firefox, I was stuck then due to an HTML do not recognized extra resource such images or even cdnjs.
It really worked as an introduction, now let’s begin with a brief and technical explanation.
CONTENT security policy
Content Security Policy, allow URI and URL resources to be used in your Browser’s Addon, whether Firefox or Chrome, or any browser except Internet Explorer which doesn’t exist any more. The truth is that CSP was created against any exploitation over a XSS vulnerability.
Firstly, it is mandatory to understand the sintaxis and those different ways to configure your app in terms of which resource it is allowed to use. A method I found, surfing through internet were modifying your HTML’s head, which is standard, writing the META tag within. That is for allowing this document to inject CDN, blob data, URIs in general, among other weird resources you have.
However, what really concerns us is a method that help us in our Addon app specifically. I am saying this because all my different failed attempts at configuring HTML docs.
Then, I have investigated more deeply in the corresponding documentation, what I should do from the beginning, and an answer poped up as a punch. Editing my manifest.json would solved all my problems, and well that’s all, it happend. It is very simple to apply…
Look at the 14 line, I added a content_security_policy field, and that’s all. What’s next is to follow explanation about to configure it, this way you will cover your specific case. Supossed it’s sufficient, being honest I have never seen an attack like this, but I guess any software attack can be “seen".
How CSP works, or what I understood
Okey, I have already ended “solving" this “problem", but… security in plain text seems to be something interesting to read about. What I mean, is that I will be documenting some curious points because my free time is long, too long.
Django, has a role in it, when the mentioned framewrok sends an HTTP header and the policy inside. It’s more clear with monolithic applications because the local server sends itself the frontend. Modifying the setting file seems to be enough.
Things go more complex when it is a microservice, you should be careful with the two apps now, and even letting the load balancer to participate in the chat, at integrating a real server like nginx. As any project, as you see more necessary improve it, it will cost you more time and development. React or Angular projects should be configured for accepting corresponding resources like all frameworks do, but I am not a frontend developer and I cannot say you how.
Long time ago I don’t write in Medium, and certainty, ideas do not visiting me. It will be a short post, and thanks for reading again!
