zap-hud icon indicating copy to clipboard operation
zap-hud copied to clipboard
verified publisher icon zaproxy

Firefox Issue: CSP errors

Open dvas0004 opened this issue 7 years ago • 0 comments

To reproduce:

  1. Start ZAP on one machine
  2. Configure ZAP (and machine) to accept remote requests
  3. Configure browser on 2nd machine to proxy through ZAP
  4. Proxy to target, HUD will probably work

on step 4, looking at the console I'm seeing a bunch of errors like so:

image

Those CSP errors are being thrown by callback URLs such as:

https://zap//zapCallBackUrl/6223563515382454344?name=drawer.html https://zap//zapCallBackUrl/6223563515382454344?name=growlerAlerts.html

Weird thing is, checking the network requests I see the CSP policy set correctly:

image

For clarity the CSP in the screenshot is: default-src 'none'; script-src 'self' 'unsafe-eval'; connect-src https://zap wss://zap; frame-src 'self'; img-src 'self' data:; font-src 'self' data:; style-src 'self' 'unsafe-inline'

This of course is showing the HUD but nothing works... More details:

  • starting FF from within ZAP i.e. from the "Launch Browser" button in the quick start, doesn't produce these issues
  • chrome doesn't have these issues (both manual start and "Launch Browser")
  • HUD options setup:

image

The above issue is on Ubuntu LTS 18.04, FF 62.0.3 (64-bit)

dvas0004 avatar Oct 10 '18 15:10 dvas0004