david-risney / csp-fiddler-extension Goto Github PK

Does this extension provide recommended CSP for sites using HTTPS? Currently only sites using HTTP will provide any details within the CSP rule collector tab. Cant see any other documentation on this.

The string is "self" with no single quotes. I don't see this described in the CSP1 or CSP2 standard or in the MDN documentation for CSP.

In the rules divide up http from https even if it would otherwise have been the same. This will help folks trying to transition to https only remove http access.

Or just remove the master branch and make gh-pages the main.

This is a fresh install of Fiddler 4.5.1.2 on a Windows 7 system. I used the powershell command to pull the DLL today. I'm using Firefox 39.

CSP Headers are only being injected when the Enable Rule Collection on the CSP Rule Collector tab is UNCHECKED. This means I see the CSP errors in the Firefox Developer console only when Rule Collection is disabled. Enabled, there are no errors as no CSP header is being added.

Because Rule Collection is disabled, the URI is never added on the Rule Collector tab.

I found that if I Disabled rule collection, went to Firefox, Began loading a complex page, switched back to Fiddler and enabled Rule Collection, the Extension would capture the CSP error reports and generate a CSP for the traffic that was loaded after I clicked Enable Rule Collection. This of course only creates a partial rule, and attempting to browse to another page with Rule Collection Enabled means new CSP headers are not created for subsequent content.

Is this a bug in the extension? A change to Fiddler?

I repeated this on a Windows 10 system with the same results

Currently the textbox shows the details of the selected URI's minimal required CSP. When selecting more than one URI aggregate all of the CSP report violations to build one big aggregate minimal required CSP. Scenario is generating one CSP header for a set of pages on a site with the expectation that the related pages have very similar CSPs with small differences and its easier to set one policy for all than have to specify individual CSP headers per page.

Better logging for which property caused rejection or if its bad JSON etc.