.. -*- coding: utf-8 -*- .. role:: sref(numref) .. role:: xref(numref) .. Copyright (C) 2025, Wolfgang Scherer, .. This file is part of Netflix More More Info. .. Permission is granted to copy, distribute and/or modify this document .. under the terms of the GNU Free Documentation License, Version 1.3 .. or any later version published by the Free Software Foundation; .. with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. .. A copy of the license is included in the section entitled "GNU .. Free Documentation License". .. inline comments (with du_comment_role) .. role:: rem(comment) .. role:: html(raw) :format: html .. role:: shx(code) :language: sh .. rst-class:: narrow xmedium xlarge xhuge xultra ################################################## :rem:`|||:sec:|||`\ Content-Security-Policy ################################################## .. . (progn (forward-line 1) (snip-insert "rst_b.peek-a-boo" t t "rst") (insert "")) .. >>CODD See `the components of a doctoral dissertation and their order `_ .. >>CODD Dedication .. >>CODD Epigraph .. >>CODD Abstract .. \|:here:| .. >>CODD Introduction .. >>CODD Chapter ================================================== :rem:`|||:sec:|||`\ CSP "style-src 'self' ..." ================================================== CSP "style-src 'self' ..." does not throw an exception, but it can be caught with the following event handler (source: `javascript - How to detect Content Security Policy (CSP): Event Handler `_) .. code-block:: javascript document.addEventListener("securitypolicyviolation", (e) => { console.log("blockedURI:", e.blockedURI); console.log("violatedDirective:", e.violatedDirective); // console.log(e.originalPolicy); }); Adding styles to the document triggers the following messages: .. code-block:: text Content-Security-Policy: Die Einstellungen der Seite haben die Anwendung eines Inline-Styles (style-src-elem) blockiert, da er gegen folgende Direktive verstößt: "style-src 'self' ..." // from event handler: blockedURI: inline violatedDirective: style-src-elem It is still possible to add *constructed style sheets* to :attr:`document.adoptedStyleSheets` without triggering a CSP violation. ================================================== :rem:`|||:sec:|||`\ CSP "script-src 'self' ..." ================================================== CSP "script-src 'self' ..." can be caught with an exception, e.g. .. code-block:: javascript try { eval( " 1+ 1"); } catch (error) { console.log("e:", error); } e: EvalError: call to eval() blocked by CSP It also triggers the following messages: .. code-block:: text Content-Security-Policy: Die Einstellungen der Seite haben die Ausführung eines JavaScript-Evals (script-src) blockiert, da es gegen folgende Direktive verstößt: "script-src 'self' ..." // from event handler: blockedURI: eval violatedDirective: script-src Angular does it this way (source `javascript - How to detect Content Security Policy (CSP): Angular `_). .. code-block:: javascript function noUnsafeEval() { try { /* jshint -W031, -W054 */ new Function(''); /* jshint +W031, +W054 */ return false; } catch (e) { return true; } } A javascript link can still be added to the document, e.g. .. code-block:: javascript var parents = [], parent, node; var div = document.createElement("div"); parent = div; node = document.createElement("a"); node.textContent = "a javascript link (hiv)"; node.setAttribute("href", "javascript:%28function%28%29%7Bvar%20search_type%3D%22tv%22%3B%28function%28%29%7Blet%20value%3D%22none%22%3Bif%28window.hiv_active%29%7Bvalue%3D%22%22%3B%7D%0Adocument.querySelectorAll%28%22img%22%29.forEach%28function%28n%29%7Bn.style.display%3Dvalue%3B%7D%29%3Bdocument.querySelectorAll%28%22iframe%22%29.forEach%28function%28n%29%7Bn.style.display%3Dvalue%3B%7D%29%3Bdocument.querySelectorAll%28%22video%22%29.forEach%28function%28n%29%7Bn.style.display%3Dvalue%3B%7D%29%3Bwindow.hiv_active%3D%21window.hiv_active%3B%7D%29%28%29%3B%7D%29%28%29"); parent.appendChild(node); document.querySelector("body").append(div) However, clicking it triggers the CSP violation notice. When injecting the link from a bookmarklet, no CSP violation is triggered. When adding a link and attaching an event handler, e.g. .. code-block:: javascript div = document.createElement("div"); parent = div; node = document.createElement("a"); node.textContent = "a click handler"; parent.appendChild(node); document.querySelector("body").append(div); div.addEventListener("click", function (e) { console.log("hello world!"); return true; }); div.click(); the JavaScript code is executed without triggering a CSP violation. The JavaScript code from extensions is also injected into the document without triggering a CSP violation. .. >>CODD Conclusion .. >>CODD Appendix A .. \|:here:| .. >>CODD Notes .. ================================================== .. :rem:`|||:sec:|||`\ Footnotes .. ================================================== :html:`
` .. \[#] .. \|:info:| put local references here .. \|:info:| put local definitions here .. include:: doc_defs.inc .. include:: abbrev_defs.inc .. include:: doc_defs_combined.inc .. .. \||<-snap->|| doc_standalone .. include:: doc/doc_defs_secret.inc .. \||<-snap->|| doc_standalone .. \||<-snap->|| not_doc_standalone .. include:: doc_defs_secret.inc .. \||<-snap->|| not_doc_standalone .. _`Wolfgang Scherer`: wolfgang.scherer@gmx.de