From stefw at redhat.com Wed Feb 24 12:40:57 2016 Content-Type: multipart/mixed; boundary="===============6307946287651156834==" MIME-Version: 1.0 From: Stef Walter To: cockpit-devel at lists.fedorahosted.org Subject: Re: Download generated file, content-security-policy Date: Wed, 24 Feb 2016 13:40:45 +0100 Message-ID: <56CDA4CD.1010303@redhat.com> In-Reply-To: 2127297264.49585282.1456315105799.JavaMail.zimbra@redhat.com --===============6307946287651156834== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable On 24.02.2016 12:58, Marek Libra wrote: > Hi, > = > Does anyone know how to setup the content-security-policy to allow content generated by JavaScript to be downloaded in a similar way as a file? > = > Please have a look at the code bellow. I would expect the download of > "myFile.txt" with content "hello" > starts when clicking on the link. > > Unfortunately, Firefox 44 complains with: Content Security Policy: > The page's settings blocked the loading of a resource at data:plain/text,hello ("default-src https://192.168.122.101:9090 'unsafe-inline' 'unsafe-eval'"). > = > Thanks for your help, Marek > ----------------- > maanifest.json: > = > { > "version": 0, > "tools": { > "mytest": { > "label": "cspTest", > "path": "csp.html" > } > }, > = > "content-security-policy": "default-src 'self' data: https: 'unsafe-i= nline' 'unsafe-eval'" > } > = > ----------------- > csp.html: > = > > = > charset=3D"utf-8"> > href=3D"../base1/cockpit.css" type=3D"text/css" rel=3D"stylesheet"> > = > = > href=3D"data:plain/text, hello" download=3D"myFile.txt">Static co= ntent > = > html This example, once I fixed the HTML tags seemed to work in Chrome but not in Firefox. My Firefox (44.0.2) doesn't complain about CSP though. Does the behavior change when clicking on the link and choosing 'This frame | Open frame in new Tab'? That is, when displaying the cspTest plugin in its own browser window? What kind of download are you trying to simulate? Something from the server perhaps? When working on the sosreport plugin we had to add support to do just that. You can see an example here: https://github.com/cockpit-project/cockpit/blob/master/pkg/sosreport/index.= js#L101 Cheers, Stef --===============6307946287651156834== Content-Type: application/pgp-signature MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjIKCmlFWUVBUkVD QUFZRkFsYk5wTTBBQ2drUWUvc1JDTmtuWmE5OWZRQ2c0OEhUZ1J6VmJLMzFiUWFaZmRLaVJRSk8K R09jQW9Jc3hhd0QwWmY4QVNCUVU1RzAyZ1JqSlFxY1oKPWxFUkoKLS0tLS1FTkQgUEdQIFNJR05B VFVSRS0tLS0tCg== --===============6307946287651156834==--