ツイッターでブックマークレットが使えなくなった件 [メール投稿]

 ツイッターのstatusページでリロードのためのブックマークレットや引用ツイートのためのブックマークレットや、さらにはメールでブログに記事をアップロードするためのブックマークレットや、その他いろいろとブックマークレットを使っていたのだけど、Firefox 40.0にアップデートしてから使えなくなった。
 以前にブログ【Firefoxのブックマークレットが使えないサイトがある】で書いたように、Content Security Policy (CSP) が原因らしいが、それならばと、例えば上のツイートのHTTPヘッダを見てみたら、CSPの所は次のように書いてあった。
Content-Security-Policy: default-src 'self'; connect-src 'self'; font-src 'self' https://* data:; frame-src 'self' https://* twitter:; img-src 'self' https://* blob: https://* data:; media-sr c 'self' https://* blob:; object-src; script-src 'unsafe-inline' 'unsafe-eval' 'self' https://*; style-src 'unsafe-inline' 'self' https://*; report-uri;

 最新の【Content Security Policy Level 2】で関係ありそうなところを引用する。
7. Directives

This section describes the content security policy directives introduced in this specification. Directive names are case insensitive.

In order to protect against Cross-Site Scripting (XSS), web application authors SHOULD include:

both the script-src and object-src directives, or
include a default-src directive, which covers both scripts and plugins.

In either case, authors SHOULD NOT include either 'unsafe-inline' or data: as valid sources in their policies. Both enable XSS attacks by allowing code to be included directly in the document itself; they are best avoided completely.

7.15. script-src

The script-src
directive restricts which scripts the protected resource can execute. The directive also controls other resources, such as XSLT style sheets [XSLT], which can cause the user agent to execute script. The syntax for the name and value of the directive are described by the following ABNF grammar:

directive-name = "script-src"
directive-value = source-list

The term allowed script sources
refers to the result of parsing the script-src directive’s value as a source list if the policy contains an explicit script-src, or otherwise to the default sources.

If 'unsafe-inline' is not in the list of allowed script sources, or if at least one nonce-source or hash-source is present in the list of allowed script sources:

Whenever the user agent would execute an inline <script> from a script element that lacks a valid nonce and lacks a valid hash for the allowed script sources, instead the user agent MUST NOT execute script, and MUST report a violation.
Whenever the user agent would execute an inline script from an inline event handler, instead the user agent MUST NOT execute script, and MUST report a violation.
Whenever the user agent would execute script contained in a javascript URL, instead the user agent MUST NOT execute the script, and MUST report a violation.

Note: User agents may allow users to modify or bypass policy enforcement through user preferences, bookmarklets, third-party additions to the user agent, and other such mechanisms.


 ブックマークレットを使っている場合はCSPを無視させてもいいよ、と読めるのだけど、「may allow」であって、無視させることを推奨してないみたいだから、Firefoxとしては、無視しないことにしたのだろう。

nice!(0)  コメント(0)  トラックバック(0) 

nice! 0

コメント 0



トラックバック 0