From mlibra at redhat.com Thu Feb 25 09:28:26 2016 Content-Type: multipart/mixed; boundary="===============6435650054415614868==" MIME-Version: 1.0 From: Marek Libra To: cockpit-devel at lists.fedorahosted.org Subject: Re: Download generated file, content-security-policy Date: Thu, 25 Feb 2016 04:28:18 -0500 Message-ID: <1347176222.52947054.1456392498469.JavaMail.zimbra@redhat.com> In-Reply-To: 56CDA4CD.1010303@redhat.com --===============6435650054415614868== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Please excuse the wrong formatting in my previous post. I'm sending the fil= es as attachments now. ----- Original Message ----- > From: "Stef Walter" > To: "Development discussion for the Cockpit Project" > Sent: Wednesday, February 24, 2016 1:40:45 PM > Subject: Re: Download generated file, content-security-policy > = > On 24.02.2016 12:58, Marek Libra wrote: > > Hi, > > = > > Does anyone know how to setup the content-security-policy to allow > content generated by JavaScript to be downloaded in a similar way as a fi= le? > > = > > Please have a look at the code bellow. I would expect the download of > > "myFile.txt" with content "hello" > > starts when clicking on the link. > > > > Unfortunately, Firefox 44 complains with: Content Security Policy: > > The page's settings blocked the loading of a > resource at data:plain/text,hello ("default-src > https://192.168.122.101:9090 'unsafe-inline' 'unsafe-eval'"). > > = > > Thanks for your help, Marek > = > = > > ----------------- > > maanifest.json: > > = > > { > > "version": 0, > > "tools": { > > "mytest": { > > "label": "cspTest", > > "path": "csp.html" > > } > > }, > > = > > "content-security-policy": "default-src 'self' data: https: > > 'unsafe-inline' 'unsafe-eval'" > > } > > = > > ----------------- > > csp.html: > > = > > > > = > > charset=3D"utf-8"> > > href=3D"../base1/cockpit.css" type=3D"text/css" rel=3D"stylesheet"> > > = > > = > > href=3D"data:plain/text, hello" download=3D"myFile.txt">Static = content > > = > > html > = > This example, once I fixed the HTML tags seemed to work in Chrome but > not in Firefox. My Firefox (44.0.2) doesn't complain about CSP though. > = This is strange, since Firefox 44.0.2 does not complain all the time. Pleas= e refresh and try clicking once again. The CSP error will display (or repea= t). Anyway, no matter of the CSP error message, the download is not started in = Firefox. Works fine, when opening in a new tab. Could it be a Firefox bug? > Does the behavior change when clicking on the link and choosing 'This > frame | Open frame in new Tab'? That is, when displaying the cspTest > plugin in its own browser window? > = > What kind of download are you trying to simulate? Something from the > server perhaps? When working on the sosreport plugin we had to add > support to do just that. You can see an example here: > = > https://github.com/cockpit-project/cockpit/blob/master/pkg/sosreport/inde= x.js#L101 I plan to generate console.vv for remote-viewer. I have all data already in= browser (JavaScript). If possible, I would like to avoid placing the content on the filesystem be= fore download or setting up new proxy service running on the host and servi= ng the request. > = > Cheers, > = > Stef > = > = > = > _______________________________________________ > cockpit-devel mailing list > cockpit-devel(a)lists.fedorahosted.org > https://lists.fedorahosted.org/admin/lists/cockpit-devel(a)lists.fedoraho= sted.org >=20 --===============6435650054415614868== Content-Type: application/json MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="manifest.json" ewogICAgInZlcnNpb24iOiAwLAogICAgInRvb2xzIjogewogICAgICAgICJteXRlc3QiOiB7CiAg ICAgICAgICAgICJsYWJlbCI6ICJjc3BUZXN0IiwKICAgICAgICAgICAgInBhdGgiOiAiY3NwLmh0 bWwiCiAgICAgICAgfQogICAgfSwKCiAgICAiY29udGVudC1zZWN1cml0eS1wb2xpY3kiOiAiZGVm YXVsdC1zcmMgJ3NlbGYnIGRhdGE6IGh0dHBzOiAndW5zYWZlLWlubGluZScgJ3Vuc2FmZS1ldmFs JyIKfQo= --===============6435650054415614868== Content-Type: text/html MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="csp.html" PGh0bWw+CjxoZWFkPgogICAgPG1ldGEgY2hhcnNldD0idXRmLTgiPgogICAgPGxpbmsgaHJlZj0i Li4vYmFzZTEvY29ja3BpdC5jc3MiIHR5cGU9InRleHQvY3NzIiByZWw9InN0eWxlc2hlZXQiPgo8 L2hlYWQ+Cjxib2R5PgogICAgICAgIDxhIGhyZWY9ImRhdGE6cGxhaW4vdGV4dCwgaGVsbG8iIGRv d25sb2FkPSJteUZpbGUudHh0Ij5TdGF0aWMgY29udGVudDwvYT4KPC9ib2R5Pgo8L2h0bWw+Cgo= --===============6435650054415614868==--