From mlibra at redhat.com Wed Feb 24 11:58:33 2016
Content-Type: multipart/mixed; boundary="===============1352638570211102650=="
MIME-Version: 1.0
From: Marek Libra <mlibra at redhat.com>
To: cockpit-devel at lists.fedorahosted.org
Subject: Download generated file, content-security-policy
Date: Wed, 24 Feb 2016 06:58:25 -0500
Message-ID: <2127297264.49585282.1456315105799.JavaMail.zimbra@redhat.com>
In-Reply-To: 154213305.49088904.1456313232843.JavaMail.zimbra@redhat.com

--===============1352638570211102650==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Hi,

Does anyone know how to setup the content-security-policy to allow content =
generated by JavaScript to be downloaded in a similar way as a file?

Please have a look at the code bellow. =

I would expect the download of "myFile.txt" with content "hello" starts whe=
n clicking on the link.

Unfortunately, Firefox 44 complains with:
        Content Security Policy: The page's settings blocked the loading of=
 a resource at data:plain/text,hello ("default-src https://192.168.122.101:=
9090 'unsafe-inline' 'unsafe-eval'").

Thanks for your help,
Marek

-----------------
maanifest.json:

{
    "version": 0,
    "tools": {
        "mytest": {
            "label": "cspTest",
            "path": "csp.html"
        }
    },

    "content-security-policy": "default-src 'self' data: https: 'unsafe-inl=
ine' 'unsafe-eval'"
}

-----------------
csp.html:

<html>

    charset=3D"utf-8">
    href=3D"../base1/cockpit.css" type=3D"text/css" rel=3D"stylesheet">


        href=3D"data:plain/text, hello" download=3D"myFile.txt">Static cont=
ent

html
--===============1352638570211102650==--

From stefw at redhat.com Wed Feb 24 12:40:57 2016
Content-Type: multipart/mixed; boundary="===============0573419055639686900=="
MIME-Version: 1.0
From: Stef Walter <stefw at redhat.com>
To: cockpit-devel at lists.fedorahosted.org
Subject: Re: Download generated file, content-security-policy
Date: Wed, 24 Feb 2016 13:40:45 +0100
Message-ID: <56CDA4CD.1010303@redhat.com>
In-Reply-To: 2127297264.49585282.1456315105799.JavaMail.zimbra@redhat.com

--===============0573419055639686900==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

On 24.02.2016 12:58, Marek Libra wrote:
> Hi,
> =

> Does anyone know how to setup the content-security-policy to allow
content generated by JavaScript to be downloaded in a similar way as a file?
> =

> Please have a look at the code bellow. I would expect the download of
> "myFile.txt" with content "hello"
> starts when clicking on the link.
>
> Unfortunately, Firefox 44 complains with: Content Security Policy:
> The page's settings blocked the loading of a
resource at data:plain/text,hello ("default-src
https://192.168.122.101:9090 'unsafe-inline' 'unsafe-eval'").
> =

> Thanks for your help, Marek


> -----------------
> maanifest.json:
> =

> {
>     "version": 0,
>     "tools": {
>         "mytest": {
>             "label": "cspTest",
>             "path": "csp.html"
>         }
>     },
> =

>     "content-security-policy": "default-src 'self' data: https: 'unsafe-i=
nline' 'unsafe-eval'"
> }
> =

> -----------------
> csp.html:
> =

> <html>
> =

>     charset=3D"utf-8">
>     href=3D"../base1/cockpit.css" type=3D"text/css" rel=3D"stylesheet">
> =

> =

>         href=3D"data:plain/text, hello" download=3D"myFile.txt">Static co=
ntent
> =

> html

This example, once I fixed the HTML tags seemed to work in Chrome but
not in Firefox. My Firefox (44.0.2) doesn't complain about CSP though.

Does the behavior change when clicking on the link and choosing 'This
frame | Open frame in new Tab'? That is, when displaying the cspTest
plugin in its own browser window?

What kind of download are you trying to simulate? Something from the
server perhaps? When working on the sosreport plugin we had to add
support to do just that. You can see an example here:

https://github.com/cockpit-project/cockpit/blob/master/pkg/sosreport/index.=
js#L101

Cheers,

Stef



--===============0573419055639686900==
Content-Type: application/pgp-signature
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="signature.asc"

LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjIKCmlFWUVBUkVD
QUFZRkFsYk5wTTBBQ2drUWUvc1JDTmtuWmE5OWZRQ2c0OEhUZ1J6VmJLMzFiUWFaZmRLaVJRSk8K
R09jQW9Jc3hhd0QwWmY4QVNCUVU1RzAyZ1JqSlFxY1oKPWxFUkoKLS0tLS1FTkQgUEdQIFNJR05B
VFVSRS0tLS0tCg==

--===============0573419055639686900==--

From mlibra at redhat.com Thu Feb 25 09:28:26 2016
Content-Type: multipart/mixed; boundary="===============2075386299497902607=="
MIME-Version: 1.0
From: Marek Libra <mlibra at redhat.com>
To: cockpit-devel at lists.fedorahosted.org
Subject: Re: Download generated file, content-security-policy
Date: Thu, 25 Feb 2016 04:28:18 -0500
Message-ID: <1347176222.52947054.1456392498469.JavaMail.zimbra@redhat.com>
In-Reply-To: 56CDA4CD.1010303@redhat.com

--===============2075386299497902607==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Please excuse the wrong formatting in my previous post. I'm sending the fil=
es as attachments now.

----- Original Message -----
> From: "Stef Walter" <stefw(a)redhat.com>
> To: "Development discussion for the Cockpit Project" <cockpit-devel(a)lis=
ts.fedorahosted.org>
> Sent: Wednesday, February 24, 2016 1:40:45 PM
> Subject: Re: Download generated file, content-security-policy
> =

> On 24.02.2016 12:58, Marek Libra wrote:
> > Hi,
> > =

> > Does anyone know how to setup the content-security-policy to allow
> content generated by JavaScript to be downloaded in a similar way as a fi=
le?
> > =

> > Please have a look at the code bellow. I would expect the download of
> > "myFile.txt" with content "hello"
> > starts when clicking on the link.
> >
> > Unfortunately, Firefox 44 complains with: Content Security Policy:
> > The page's settings blocked the loading of a
> resource at data:plain/text,hello ("default-src
> https://192.168.122.101:9090 'unsafe-inline' 'unsafe-eval'").
> > =

> > Thanks for your help, Marek
> =

> =

> > -----------------
> > maanifest.json:
> > =

> > {
> >     "version": 0,
> >     "tools": {
> >         "mytest": {
> >             "label": "cspTest",
> >             "path": "csp.html"
> >         }
> >     },
> > =

> >     "content-security-policy": "default-src 'self' data: https:
> >     'unsafe-inline' 'unsafe-eval'"
> > }
> > =

> > -----------------
> > csp.html:
> > =

> > <html>
> > =

> >     charset=3D"utf-8">
> >     href=3D"../base1/cockpit.css" type=3D"text/css" rel=3D"stylesheet">
> > =

> > =

> >         href=3D"data:plain/text, hello" download=3D"myFile.txt">Static =
content
> > =

> > html
> =

> This example, once I fixed the HTML tags seemed to work in Chrome but
> not in Firefox. My Firefox (44.0.2) doesn't complain about CSP though.
> =


This is strange, since Firefox 44.0.2 does not complain all the time. Pleas=
e refresh and try clicking once again. The CSP error will display (or repea=
t).
Anyway, no matter of the CSP error message, the download is not started in =
Firefox.

Works fine, when opening in a new tab.
Could it be a Firefox bug?

> Does the behavior change when clicking on the link and choosing 'This
> frame | Open frame in new Tab'? That is, when displaying the cspTest
> plugin in its own browser window?
> =

> What kind of download are you trying to simulate? Something from the
> server perhaps? When working on the sosreport plugin we had to add
> support to do just that. You can see an example here:
> =

> https://github.com/cockpit-project/cockpit/blob/master/pkg/sosreport/inde=
x.js#L101

I plan to generate console.vv for remote-viewer. I have all data already in=
 browser (JavaScript).
If possible, I would like to avoid placing the content on the filesystem be=
fore download or setting up new proxy service running on the host and servi=
ng the request.

> =

> Cheers,
> =

> Stef
> =

> =

> =

> _______________________________________________
> cockpit-devel mailing list
> cockpit-devel(a)lists.fedorahosted.org
> https://lists.fedorahosted.org/admin/lists/cockpit-devel(a)lists.fedoraho=
sted.org
>=20

--===============2075386299497902607==
Content-Type: application/json
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="manifest.json"

ewogICAgInZlcnNpb24iOiAwLAogICAgInRvb2xzIjogewogICAgICAgICJteXRlc3QiOiB7CiAg
ICAgICAgICAgICJsYWJlbCI6ICJjc3BUZXN0IiwKICAgICAgICAgICAgInBhdGgiOiAiY3NwLmh0
bWwiCiAgICAgICAgfQogICAgfSwKCiAgICAiY29udGVudC1zZWN1cml0eS1wb2xpY3kiOiAiZGVm
YXVsdC1zcmMgJ3NlbGYnIGRhdGE6IGh0dHBzOiAndW5zYWZlLWlubGluZScgJ3Vuc2FmZS1ldmFs
JyIKfQo=

--===============2075386299497902607==
Content-Type: text/html
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="csp.html"

PGh0bWw+CjxoZWFkPgogICAgPG1ldGEgY2hhcnNldD0idXRmLTgiPgogICAgPGxpbmsgaHJlZj0i
Li4vYmFzZTEvY29ja3BpdC5jc3MiIHR5cGU9InRleHQvY3NzIiByZWw9InN0eWxlc2hlZXQiPgo8
L2hlYWQ+Cjxib2R5PgogICAgICAgIDxhIGhyZWY9ImRhdGE6cGxhaW4vdGV4dCwgaGVsbG8iIGRv
d25sb2FkPSJteUZpbGUudHh0Ij5TdGF0aWMgY29udGVudDwvYT4KPC9ib2R5Pgo8L2h0bWw+Cgo=

--===============2075386299497902607==--