Closed
Bug 1373298
Opened 7 years ago
Closed 7 years ago
Spurious Content Security Policy errors in our PWA
Categories
(Core :: DOM: Security, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1358106
People
(Reporter: ashley, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0 Build ID: 20170615030208 Steps to reproduce: 1. Visit https://editor.construct.net/?skip-support-check Actual results: The console logs a lot of Content Security Policy errors of the form: Content Security Policy: The page’s settings blocked the loading of a resource at self (“default-src https://editor.construct.net blob:”). Source: enable-background:new 0 0 438.533 438.53.... editor.construct.net Content Security Policy: The page’s settings blocked the loading of a resource at self (“default-src https://editor.construct.net blob:”). editor.construct.net Content Security Policy: The page’s settings blocked the loading of a resource at self (“default-src https://editor.construct.net blob:”). Source: enable-background:new 0 0 26 26;. editor.construct.net Content Security Policy: The page’s settings blocked the loading of a resource at self (“default-src https://editor.construct.net blob:”). editor.construct.net Content Security Policy: The page’s settings blocked the loading of a resource at self (“default-src https://editor.construct.net blob:”). Source: fill:#030104;. editor.construct.net Content Security Policy: The page’s settings blocked the loading of a resource at self (“default-src https://editor.construct.net blob:”). editor.construct.net Content Security Policy: The page’s settings blocked the loading of a resource at self (“default-src https://editor.construct.net blob:”). Source: fill:#030104;. Expected results: It's not clear why these errors are being logged. They do not appear to identify a specific resource that was blocked, and as far as I can tell looking around our PWA, nothing has actually failed to load. I suspect the errors are spurious, but if not, they're unhelpful. They don't seem to make sense ("blocked the loading of a resource at self" when our CSP allows resources at "self") and they don't clearly identify a resource (either there is no resource mentioned or it's something mysterious like "enable-background:new 0 0 26 26" or "fill:#030104"). Chrome does not log any such errors.
Updated•7 years ago
|
Component: Untriaged → DOM: Security
I looked in to this a bit more and it turns out we have some style attributes in SVG which appear to match the error messages. Seems that Chrome ignores them but Firefox logs an error - not sure which browser's correct here actually.
Note we just published an update that works around the original issue; to see it please visit this URL instead: https://editor.construct.net/r38-2/?skip-support-check
Comment 3•7 years ago
|
||
This appears to be a duplicate of bug 1358106 -- we should not be applying CSP to the interior of a SVG loaded as an <img> tag.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•