Closed
Bug 1186412
Opened 9 years ago
Closed 9 years ago
Fastmail won't allow to insert inline images to emails
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
People
(Reporter: bbouvier, Unassigned)
References
Details
Attachments
(1 file)
34.50 KB,
image/png
|
Details |
STR: - ensure you have a Fastmail account - log in - compose a new message - click "Make Rich Text" to force HTML - click the "insert image" button - choose any PNG image, like the attached one. Expected: - the image shows up, as it would do beforehand Observed: - a popup alert shows up, saying "Sorry. 1437572845.png is not a recognized image.", and the image isn't inserted Bisection leads to bug 1086999, which was also the source of another fastmail bug (bug 1157084 -- note this bug isn't a duplicate but really another issue): https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=2e0ebba4a766&tochange=183190289b9c However, I can't see any CSP error in the console, as of today. Please let me know if you need further information.
Comment 1•9 years ago
|
||
Benjamin, I don't have a fastmail account at the moment. Let's see if we can resolve the problem offline. It's very likely that bug 1086999 causes issues with fastmail. Do you see any errors in the browser console (Please note that the browser console is something different than the web console). Unfortunately not all the CSP errors show up on the web console (see Bug 970790), but they should all show up in the browser console. What's the CSP the page is using? Does the image that is blocked use a 'data:' scheme? If so, is 'data:' explicitly whitelisted in the CSP? If not, then fastmail would have to add 'data:' since the the wildcard (*) does not match data:, blob:, filesystem:. See http://www.w3.org/TR/CSP2/#source-list-guid-matching
Flags: needinfo?(benj)
Reporter | ||
Comment 2•9 years ago
|
||
(In reply to Christoph Kerschbaumer [:ckerschb] from comment #1) > Benjamin, I don't have a fastmail account at the moment. Let's see if we can > resolve the problem offline. > It's very likely that bug 1086999 causes issues with fastmail. Do you see > any errors in the browser console (Please note that the browser console is > something different than the web console). Unfortunately not all the CSP > errors show up on the web console (see Bug 970790), but they should all show > up in the browser console. > > What's the CSP the page is using? > Does the image that is blocked use a 'data:' scheme? > If so, is 'data:' explicitly whitelisted in the CSP? If not, then fastmail > would have to add 'data:' since the the wildcard (*) does not match data:, > blob:, filesystem:. See > http://www.w3.org/TR/CSP2/#source-list-guid-matching Chris, here's the message in the browser console: > Content Security Policy: The page's settings blocked the loading of a resource at > blob:https://www.fastmail.com/55411e88-939e-4f95-8a77-b670ac9fe6b ("img-src * data:"). The CSP header (as shown in the request section of the devtools) contains the following: > "default-src 'self'; script-src 'self' 'unsafe-eval' https://api.pin.net.au https://api.stripe.com; style-src 'self' 'unsafe-inline'; font-src data:; img-src * data:; media-src 'none'; object-src 'none'; report-uri /log/csp" I can't really answer the question whether the blocked image use a 'data:' scheme or not, but I can provide you more information given by the devtools (network section, I found a 'csp' entry): Params: > {"csp-report":{"blocked-uri":"blob:https://www.fastmail.com/d8d52f85-1f16-452c-b73f-062a9419672","document-uri":"https://www.fastmail.com/mail/Inbox/?u=691c416","original-policy":"default-src https://www.fastmail.com; script-src https://www.fastmail.com 'unsafe-eval' https://api.pin.net.au https://api.stripe.com; style-src https://www.fastmail.com 'unsafe-inline'; font-src data:; img-src * data:; media-src 'none'; object-src 'none'; report-uri https://www.fastmail.com/log/csp","referrer":"","violated-directive":"img-src * data:"}} Does this help? (for what it's worth, you can create a free account without providing any credit card information, and use it for free during the first 30 days: https://www.fastmail.com/signup/personal.html )
Flags: needinfo?(benj) → needinfo?(mozilla)
Comment 3•9 years ago
|
||
(In reply to Benjamin Bouvier [:bbouvier] from comment #2) > > Content Security Policy: The page's settings blocked the loading of a resource at > > blob:https://www.fastmail.com/55411e88-939e-4f95-8a77-b670ac9fe6b ("img-src * data:"). > > Does this help? Yes, indeed, so what fastmail would need to do is update their CSP header for images to: > img-src * data: blob: since blob: URLs are not matched by the wildcard (*). Other browsers are not following the spec as of today's releases but they are about to catch up on that as well. So even if the resource is not blocked today in other browsers, it might be blocked in any of the upcoming releases, so it's best advised for fastmail to update their CSP to include 'blob:'. That should resolve the problem; if not, please let me know.
Flags: needinfo?(mozilla)
Updated•9 years ago
|
Blocks: CVE-2015-4490
No longer depends on: CVE-2015-4490
Updated•9 years ago
|
Flags: needinfo?(benj)
Reporter | ||
Comment 4•9 years ago
|
||
I don't have contacts at Fastmail, but I've let them know about the issue on Twitter: https://twitter.com/bnjbvr/status/624472759595307008 Will try other ways if we don't have any answers by next Tuesday.
Flags: needinfo?(benj)
Reporter | ||
Comment 5•9 years ago
|
||
Fastmail contacted me back on twitter and fixed the CSP policy on their website and I can insert inline images again. Thank you Christoph for the help!
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•