david-risney / csp-fiddler-extension Goto Github PK
View Code? Open in Web Editor NEWContent Security Policy rule collector extension for Fiddler
License: MIT License
Content Security Policy rule collector extension for Fiddler
License: MIT License
Does this extension provide recommended CSP for sites using HTTPS? Currently only sites using HTTP will provide any details within the CSP rule collector tab. Cant see any other documentation on this.
The string is "self" with no single quotes. I don't see this described in the CSP1 or CSP2 standard or in the MDN documentation for CSP.
In the rules divide up http from https even if it would otherwise have been the same. This will help folks trying to transition to https only remove http access.
Or just remove the master branch and make gh-pages the main.
This is a fresh install of Fiddler 4.5.1.2 on a Windows 7 system. I used the powershell command to pull the DLL today. I'm using Firefox 39.
CSP Headers are only being injected when the Enable Rule Collection on the CSP Rule Collector tab is UNCHECKED. This means I see the CSP errors in the Firefox Developer console only when Rule Collection is disabled. Enabled, there are no errors as no CSP header is being added.
Because Rule Collection is disabled, the URI is never added on the Rule Collector tab.
I found that if I Disabled rule collection, went to Firefox, Began loading a complex page, switched back to Fiddler and enabled Rule Collection, the Extension would capture the CSP error reports and generate a CSP for the traffic that was loaded after I clicked Enable Rule Collection. This of course only creates a partial rule, and attempting to browse to another page with Rule Collection Enabled means new CSP headers are not created for subsequent content.
Is this a bug in the extension? A change to Fiddler?
I repeated this on a Windows 10 system with the same results
Currently the textbox shows the details of the selected URI's minimal required CSP. When selecting more than one URI aggregate all of the CSP report violations to build one big aggregate minimal required CSP. Scenario is generating one CSP header for a set of pages on a site with the expectation that the related pages have very similar CSPs with small differences and its easier to set one policy for all than have to specify individual CSP headers per page.
Better logging for which property caused rejection or if its bad JSON etc.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.