bowser icon indicating copy to clipboard operation
bowser copied to clipboard
verified publisher icon EricssonResearch

Bowser violates CSP due to inject of owr.js

Open longsleep opened this issue 10 years ago • 9 comments

Bowser does treat the locally injected owr.js as insecure and thus fails to load it for any pages which implemented a CSP.

Refused to connect to 'http://localhost:10717/owr.js' because it violates the following Content Security Policy directive: "connect-src 'self' wss://spreed.me/ws blob:". 13.01.2016 17:13:43 SecurityError: DOM Exception 18: An attempt was made to break through the security policy of the user agent.

This essentially makes it impossible to support Bowser with Spreed WebRTC as configured on https://spreed.me/ - The question for Bowser support came up in https://github.com/strukturag/spreed-webrtc/issues/251

longsleep avatar Jan 13 '16 16:01 longsleep

@stefanalund - perhaps you know how to fix this? Can it be just a small change in the API or application options somewhere?

superdump avatar Jan 14 '16 07:01 superdump

There's a big trouble here since WKWebView blocks every mixed content on page and there's no exception to this rule at this time. I think the hole project should return to use UIWebView.

lcamacho avatar Feb 07 '16 14:02 lcamacho

@lcamacho I'd really like to avoid that since the injection of our user script is really shaky when using UIWebView. With WKWebView it is rock solid.

@pererikb had some idea about using an IFrame that may be worth evaluating.

stefanalund avatar Feb 07 '16 19:02 stefanalund

This has been fixed: https://github.com/EricssonResearch/bowser/issues/72#issuecomment-182390937

stefanalund avatar Feb 10 '16 14:02 stefanalund

Well, i think that #72 does not fix this ticket. Of course the https loading issue would be a problem, but i do not see how this fix could make the CSP accept the injection.

longsleep avatar Feb 10 '16 18:02 longsleep

Look what they did with Safari extension and you may have an idea of what to do. https://github.com/EricssonResearch/openwebrtc-browser-extensions/blob/master/safari/OpenWebRTC.safariextension/bootstrap.js

lcamacho avatar Feb 10 '16 18:02 lcamacho

Yep, you are correct. I was a bit quick to pull the trigger :-) Reopening.

stefanalund avatar Feb 10 '16 21:02 stefanalund

Yes @longsleep @lcamacho one idea is to do the same on iOS, i.e. to first download the contents of owr.js from within the application and inject it to the WKWebView (instead of doing it in JavaScript).

Would you guys be willing/able to try that yourselves?

stefanalund avatar Feb 11 '16 08:02 stefanalund

first download the contents of owr.js from within the application and inject it to the WKWebView (instead of doing it in JavaScript).

That results in the following:

WebSocket connection to 'ws://localhost:10717/bridge' failed: WebSocket is closed due to suspension.

BonzaiThePenguin avatar May 05 '17 22:05 BonzaiThePenguin