Firefox 4 compatibility issues with SharePoint 2010 : Content Security Policy

When you install FireFox 4, you instantly receive a new security mechanism called Content Security Policy. This mechanism works behind the scenes to prevent some of the more severe web-based attacks against users and websites…

While using Firefox 4 to access our latest project (custom solution based upon the SharePoint 2010 platform in https context), we noticed that we couldn’t use the Out-of-the-box and often used Date Time Control

The issue occurs when trying to switch to the next or previous month in the dialog that occurs after clicking on the calendar icon. In detail, the HideUnhide(‘DatePickerDiv’,’DatePickerDivP1′,’20110501′); method wasn’t executing as expected.

By using the fire bug plug-in I was able to detect this warning in the console panel after clicking on the next month icon.

the SharePoint DateTime control makes use of an underlying Iframe to display the popup and I think that this might trigger the security guard in FF4 to prevent clickjacking

from developer.mozilla.org

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware.

CSP is designed to be fully backward compatible; browsers that don’t support it still work with servers that implement it, and vice-versa. Browsers that don’t support CSP simply ignore it, functioning as usual, defaulting to the standard same-origin policy for web content. If the site doesn’t offer the CSP header, browsers likewise use the standard same-origin policy.

A secondary goal of CSP is to mitigate clickjacking. Clickjacking happens when a malicious site directs a victim’s mouse click to an unintended target in another site. This is typically done by framing the target site’s content in a transparent element.

CSP lets a site specify which sites may embed resources, thereby helping to prevent this sort of attack.

Note: For security reasons, you can’t use the <meta> element to configure the X-Content-Security-Policy header.

The policy can be delivered from the server to the client via an HTTP response header or an HTML meta element. Both mechanisms indicates that a resource must have the set of restrictions specified in the policy applied to it by the user-agent while rendering the content.

https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html

VN:F [1.9.22_1171]
Rating: 10.0/10 (1 vote cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Microsoft SharePoint Online Developer Guide (Beta) – Sandboxed Solutions

Overview
This guide walks you through some of the rich features that are available to developers and designers in SharePoint Online in Office 365. It provides an overview of the feature set and extensibility points for SharePoint Online, and a discussion of how to create solutions for this new environment. This guide begins by describing the types of solutions you can build, and then addresses the developer tools for SharePoint 2010, the new platform features, and the solution deployment architecture.

http://www.microsoft.com/downloads/en/d … c043b9335a

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)