Closed
Bug 1232628
Opened 9 years ago
Closed 8 years ago
CSP warning sent when it probably shouldn't be
Categories
(Core :: DOM: Security, defect)
Core
DOM: Security
Tracking
()
RESOLVED
INVALID
People
(Reporter: jwalker, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-backlog])
I've a web-app that has a CSP policy. It used to pass on both Firefox and Chrome. As of last week (ish) Firefox began complaining. The site appears to work fine in both browsers. Details in comments.
|
Reporter | |
Comment 1•9 years ago
|
||
The policy (as fetched from netmonitor) is Content-Security-Policy:base-uri 'self'; connect-src 'self' ws://localhost:3000; default-src 'self'; font-src 'self' https://fonts.gstatic.com; img-src 'self' data:; object-src; report-uri /cspviolation; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com
|
|
Reporter | |
Comment 2•9 years ago
|
||
The violation as reported in the webconsole is:
Content Security Policy: The page's settings blocked the loading of a resource at self ("default-src http://localhost:3000")
The CSP violation ping says: The csp violation ping says: {... "violated-directive":"default-src http://localhost:3000"}|
|
Reporter | |
Comment 3•9 years ago
|
||
I ran with NSPR_LOG_MODULES=CSPContext:5, and ... 2006130688[10a5762d0]: nsCSPContext::nsCSPContext 2006130688[10a5762d0]: nsCSPContext::AppendPolicy: base-uri 'self'; connect-src 'self' ws://localhost:3000; default-src 'self'; font-src 'self' https://fonts.gstatic.com; img-src 'self' data:; object-src; report-uri /cspviolation; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com 2006130688[10a5762d0]: nsCSPContext::ShouldLoad, aContentLocation: http://localhost:3000/resources/index.css 2006130688[10a5762d0]: >>>> aContentType: 40 2006130688[10a5762d0]: nsCSPContext::ShouldLoad, decision: load, aContentLocation: http://localhost:3000/resources/index.css 2006130688[10a5762d0]: nsCSPContext::ShouldLoad, aContentLocation: http://localhost:3000/built/index.js 2006130688[10a5762d0]: >>>> aContentType: 36 2006130688[10a5762d0]: nsCSPContext::ShouldLoad, decision: load, aContentLocation: http://localhost:3000/built/index.js 2006130688[10a5762d0]: nsCSPContext::ShouldLoad, aContentLocation: http://localhost:3000/resources/index.css 2006130688[10a5762d0]: >>>> aContentType: 4 2006130688[10a5762d0]: nsCSPContext::ShouldLoad, decision: load, aContentLocation: http://localhost:3000/resources/index.css 2006130688[10a5762d0]: nsCSPContext::ShouldLoad, aContentLocation: http://localhost:3000/built/index.js 2006130688[10a5762d0]: >>>> aContentType: 2 2006130688[10a5762d0]: nsCSPContext::ShouldLoad, decision: load, aContentLocation: http://localhost:3000/built/index.js 2006130688[10a5762d0]: nsCSPContext::ShouldLoad, aContentLocation: https://fonts.googleapis.com/css?family=Roboto:400,300,500 2006130688[10a5762d0]: >>>> aContentType: 4 2006130688[10a5762d0]: nsCSPContext::ShouldLoad, decision: load, aContentLocation: https://fonts.googleapis.com/css?family=Roboto:400,300,500 2006130688[10a5762d0]: Sent violation report to URI http://localhost:3000/cspviolation 2006130688[10a5762d0]: nsCSPContext::ShouldLoad, aContentLocation: https://fonts.gstatic.com/s/roboto/v15/oMMgfZMQthOryQo9n22dcuvvDin1pK8aKteLpeZ5c0A.woff2 ... TL:DR; "decision: load" followed by "Sent violation report" seems strange...
|
|
Reporter | |
Comment 4•9 years ago
|
||
Some more digging. It looks like it's React Developer tools. https://github.com/facebook/react-devtools/issues/134 Is this problem purely Facebook's I wonder?
|
||
Comment 5•8 years ago
|
||
Joe, what are the STR this problem? Once I know, I can have a look and see what's going on.
Flags: needinfo?(jwalker)
Whiteboard: [domsecurity-backlog]
|
|
Reporter | |
Comment 6•8 years ago
|
||
I've not noticed it for a while. The STR was fairly simple. React app, delivered with strict CSP (default-src 'self'). I'd be happy to close this, because I no longer see it in my setup. But I'll leave the call up to you since the react issue isn't actually closed.
Flags: needinfo?(jwalker)
|
|
||
Comment 7•8 years ago
|
||
(In reply to Joe Walker [:jwalker] (needinfo me or ping on irc) from comment #6) > I've not noticed it for a while. > > The STR was fairly simple. React app, delivered with strict CSP (default-src > 'self'). I'd be happy to close this, because I no longer see it in my setup. > But I'll leave the call up to you since the react issue isn't actually > closed. Before closing this I'll ask Kamil if he can reproduce the issue. Kamil, can you give that a try?
Flags: needinfo?(kjozwiak)
|
|
||
Comment 8•8 years ago
|
||
As per comment 6, I am closing this one as an INVALID since it seems it's not a problem anymore.
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(kjozwiak)
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•