Comments (8)
sambuddhabasu
commented on July 23, 2024
For detecting if the CSP allows the iframe to load, we can inject the iframe first and then, use the iframe.onload function to get to know whether CSP allows to inject the iframe in the host page. If the injection is not supported, the iframe then is removed. I am currently working on this and will link this issue to the PR soon.
from privly-safari.
smcgregor
commented on July 23, 2024
I think it would be better to examine headers directly.
from privly-safari.
sambuddhabasu
commented on July 23, 2024
We cannot examine the headers in Safari. In chrome, this can be done using chrome.webRequest but, in Safari there is no corresponding API to do the same.
from privly-safari.
smcgregor
commented on July 23, 2024
What about an AJAX request to the domain's robots.txt? That should allow you to check the headers, no?
from privly-safari.
sambuddhabasu
commented on July 23, 2024
Do you mean reading the domain's robots.txt? In that case, no. This can be seen at, https://twitter.com/robots.txt
from privly-safari.
smcgregor
commented on July 23, 2024
You can't access headers for the whole page's request, but you can access
the headers for an Ajax request. Since most sites have a robots.txt, I am
recommending making an Ajax request to it then looking at the headers it
returns.
from privly-safari.
sambuddhabasu
commented on July 23, 2024
I tried sending an XMLHttpRequest to the robots.txt for https://twitter.com, however, when the getAllResponseHeaders() function was called, the output was,
x-response-time: 206
Date: Fri, 21 Aug 2015 23:37:16 GMT
Content-Encoding: gzip
Server: tsa_k
Strict-Transport-Security: max-age=631138519
Content-Type: text/plain;charset=utf-8
x-connection-hash: 17a962ba74892c8fc7a1c2cf6f4e22cc
Content-Length: 472
This above output does not contain any information about CSP.
from privly-safari.
smcgregor
commented on July 23, 2024
It looks like the offending header is only sent for the initial request. I don't like performing an iframe injection experiment for every page load, but let's move forward with a solution we have instead of trying to find the best solution.
from privly-safari.
Related Issues (12)
- Add Secure Environmental Variables for privly/privly-safari
- gmail for Safari fails HOT 1
- Integrate privly-applications selenium tests HOT 15
- Indicate when the extension is on/off HOT 1
- Add Toggle Button for Mode
- Port privly.js to Safari
- Package Safari Extension HOT 22
- Tooltip Positioning Test Fails
- Needs Maintainer HOT 3
- Update Readme HOT 1
- Integrate Karma Test Runner HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from privly-safari.