Closed Bug 1373298 Opened 7 years ago Closed 7 years ago

Spurious Content Security Policy errors in our PWA

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Version:
56 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1358106

People

(Reporter: ashley, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Build ID: 20170615030208

Steps to reproduce:

1. Visit https://editor.construct.net/?skip-support-check


Actual results:

The console logs a lot of Content Security Policy errors of the form:

Content Security Policy: The page’s settings blocked the loading of a resource at self (“default-src https://editor.construct.net blob:”). Source: enable-background:new 0 0 438.533 438.53.... editor.construct.net
Content Security Policy: The page’s settings blocked the loading of a resource at self (“default-src https://editor.construct.net blob:”). editor.construct.net
Content Security Policy: The page’s settings blocked the loading of a resource at self (“default-src https://editor.construct.net blob:”). Source: enable-background:new 0 0 26 26;. editor.construct.net
Content Security Policy: The page’s settings blocked the loading of a resource at self (“default-src https://editor.construct.net blob:”). editor.construct.net
Content Security Policy: The page’s settings blocked the loading of a resource at self (“default-src https://editor.construct.net blob:”). Source: fill:#030104;. editor.construct.net
Content Security Policy: The page’s settings blocked the loading of a resource at self (“default-src https://editor.construct.net blob:”). editor.construct.net
Content Security Policy: The page’s settings blocked the loading of a resource at self (“default-src https://editor.construct.net blob:”). Source: fill:#030104;.


Expected results:

It's not clear why these errors are being logged. They do not appear to identify a specific resource that was blocked, and as far as I can tell looking around our PWA, nothing has actually failed to load.

I suspect the errors are spurious, but if not, they're unhelpful. They don't seem to make sense ("blocked the loading of a resource at self" when our CSP allows resources at "self") and they don't clearly identify a resource (either there is no resource mentioned or it's something mysterious like "enable-background:new 0 0 26 26" or "fill:#030104").

Chrome does not log any such errors.
Component: Untriaged → DOM: Security
I looked in to this a bit more and it turns out we have some style attributes in SVG which appear to match the error messages. Seems that Chrome ignores them but Firefox logs an error - not sure which browser's correct here actually.
Note we just published an update that works around the original issue; to see it please visit this URL instead: https://editor.construct.net/r38-2/?skip-support-check
This appears to be a duplicate of bug 1358106 -- we should not be applying CSP to the interior of a SVG loaded as an <img> tag.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.