What are set of whitelisting urls for Firefox CSP? - firefox

As in case of Google Chrome browser Google Chrome CSP
There are whitelisting of origins -
Currently, we allow whitelisting origins with the following schemes:
blob, filesystem, https, chrome-extension, and
chrome-extension-resource.
Is there any listing of such origins for Firefox. We are trying to write an add on for Firefox which will need to load as an iframe.
I currently get following CSP error when I am trying to load a frame.html read from my addon XPI resources. Its a frame which then loads the actual frame.
Content Security Policy: The page's settings blocked the loading of a
resource at data:text/html;
iframe with chrome-extensions:// as the path works for Chrome browser nothing like that is available for Firefox. (atleast I am unable to trace such a thing)
Please give us some suggestion if we can do a path to get iframe extension working.

On Firefox data:, blob: and filesystem: are subject to CSP. Use chrome: or resource: instead.
update:
Apparently this approach will not work with the Add-on SDK, probably due to sandbox restrictions.

Related

Preflight CORS request fail on some versions of Firefox

Using Firefox 45.8.0 ESR on Windows.
Trying to load https://secure.scheduleonce.com/dana
The page doesn't load, and in the network panel I see a crossed padlock icon instead of green padlock icon for this request:
OPTIONS https://cfproxy.scheduleonce.com/get-data/GetLandingPageLayout
When floating over the padlock I see the following message:
The connection used to fetch this request was not secure.
The page loads fine on Chrome / Safari / IE and even more recent version of FF.
Is there any way to debug what's wrong with that request to resource exactly ? FF doesn't give me any information as to what went wrong.
I suspect it might be related to the fact it's a preflight CORS request (the requested domain is different than that hosted page domain).
Attaching HAR file of the network : https://www.dropbox.com/s/i59k66a2w8p3ast/Archive%2017-09-10%2007-06-15.har?dl=0
Can be viewer here: (https://toolbox.googleapps.com/apps/har_analyzer)
Thanks.
Problem was with the cipher suite choice on the server.
I used this site to change it:
https://mozilla.github.io/server-side-tls/ssl-config-generator/
To support older browsers as well.
I don't know what was in FF 45.8.0 ESR that made it not respect the security of the server.

Firefox wont allow a HTTPS resource to be called on an http page

In chrome, I can call a secure URL (exampleB.com) from a INsecure page (exampleA.com); in firefox, they block it
Is this a bug, it seems HTTPS should be allowed from anywhere?
Resource being called is simply an IMG tag / GET request.
This was a bug with firefox itself. The CORS handling was backwards :)

Custom Web Browser - To Load only my URL - Firefox

I need a Portable web Browser, or any install-able (Windows) Browser, which will only load my URL.
Some thing Like I will have my Shortcut in the desktop, when User click, the Web browser with my URL loads.
Is it possible with portable Firefox to modify, I also need cookies to work along, thats the reason I need to find a custom Web browser.
I just found out a partial solution using
Mozilla Client Customization Kit , we can create a extension which allows to customize firefox upto certain limitations.
https://addons.mozilla.org/en-US/firefox/addon/cck/

Webkit Cocoa - WebView issues

Within a Cocoa application I have a webview. When Google's personalized home page loads I get the following message caught by the WebViewDelegate:
Unsafe JavaScript attempt to access frame with URL http://www.google.ca/ from frame with URL http://www.ig.gmodules.com/gadgets...
Is there a setting that I set to make this error go away? It doesn't seem to cause any actual problems, but should be resolved.
That sounds like an issue on Google's end, I don't think there's anything you can do there. It means that an iframe with www.ig.gmodules.com loaded is trying to request something from www.google.ca, which according to the browser is a cross-domain request. If Google wanted to allow that they'd need a crossdomain.xml allowing the requests.

Easy way to determine what content is not delivered using a secure HTTPS connection?

I have some pages that are sent via HTTPS. Internet Explorer sometimes complains about "This webpage contains content that will not be delivered using a secure HTTPS".
I looked in the html source to confirm all content calls (href, src, etc...) are sent via https. My CSS files use relative paths. But I'm still getting these warnings.
Is there an easy way to track down which items are not sent via HTTPS?
You could fire up Fiddler to see what exactly IE is requesting over regular HTTP.
In Fiddler's default configuration, HTTPS requests will show up with a lock and CONNECT as the host. HTTP requests will have a non-lock icon.
(source: josh3736.net)
I usually use Firefox + Firebug (the "Net" tab) to find the offending request. You could also use Fiddler for this. (with any browser)
I've used the following site before - I finding it easier than loading up firebug / fiddler.
http://www.whynopadlock.com/
You can use SslCheck
It's a free online tool that crawls a website recursively (following all internal links) and scans for unsecure content - images, scripts and CSS.
(disclaimer: I'm one of the developers)
In Google Chrome, similar to Firefox w/ FireBug, you can use the 'Network' tab of the Developer Tools console.
Open the Developers Tools console, go to the 'Network' tab, and reload the target page. Any warnings with the page, such as insecure content being loaded, will be indicated with the number of warning and an 'alert' icon in the bottom right corner (Chrome v23.x). Click on the icon and a list of the warnings, in this case, the resources being loaded insecurely, will be displayed.
Using following tools could help:
Firefox's FireBug . opening tab Network shows you connection details to multiple resource
Fiddler - acts as sniffer allows you explore details of connect.
using firefox - view generated source vs viewing source
there is probably a javascript file that is creating a div/iframe that is insecure

Resources