From mlibra at redhat.com Wed Feb 24 11:58:33 2016
Content-Type: multipart/mixed; boundary="===============3509607772209858891=="
MIME-Version: 1.0
From: Marek Libra <mlibra at redhat.com>
To: cockpit-devel at lists.fedorahosted.org
Subject: Download generated file, content-security-policy
Date: Wed, 24 Feb 2016 06:58:25 -0500
Message-ID: <2127297264.49585282.1456315105799.JavaMail.zimbra@redhat.com>
In-Reply-To: 154213305.49088904.1456313232843.JavaMail.zimbra@redhat.com

--===============3509607772209858891==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Hi,

Does anyone know how to setup the content-security-policy to allow content =
generated by JavaScript to be downloaded in a similar way as a file?

Please have a look at the code bellow. =

I would expect the download of "myFile.txt" with content "hello" starts whe=
n clicking on the link.

Unfortunately, Firefox 44 complains with:
        Content Security Policy: The page's settings blocked the loading of=
 a resource at data:plain/text,hello ("default-src https://192.168.122.101:=
9090 'unsafe-inline' 'unsafe-eval'").

Thanks for your help,
Marek

-----------------
maanifest.json:

{
    "version": 0,
    "tools": {
        "mytest": {
            "label": "cspTest",
            "path": "csp.html"
        }
    },

    "content-security-policy": "default-src 'self' data: https: 'unsafe-inl=
ine' 'unsafe-eval'"
}

-----------------
csp.html:

<html>

    charset=3D"utf-8">
    href=3D"../base1/cockpit.css" type=3D"text/css" rel=3D"stylesheet">


        href=3D"data:plain/text, hello" download=3D"myFile.txt">Static cont=
ent

html
--===============3509607772209858891==--