Closed
Bug 1033001
Opened 12 years ago
Closed 12 years ago
XHR doesn't respect connect-src after CPP CSP
Categories
(Core :: DOM: Security, defect)
Core
DOM: Security
Tracking
()
RESOLVED
DUPLICATE
of bug 1031530
People
(Reporter: reuben, Unassigned)
References
Details
When trying to use the rTorrent WebUI on Nightly I ran into CSP problems. The policy is:
Content-Security-Policy: default-src 'none'; img-src 'self' data:; frame-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self';
The page is trying to XHR a script in the same subdomain and getting rejected with the following error message:
Content Security Policy: The page's settings blocked the loading of a resource at https://foo.bar.ca/webui/php/getplugins.php ("default-src 'none'").
Content Security Policy: The page's settings blocked the loading of a resource at https://foo.bar.ca/webui/php/getsettings.php ("default-src 'none'").
I don't understand why we're falling back to the default-src directive when there's a connect-src in the CSP line.
| Reporter | ||
Comment 1•12 years ago
|
||
(The web interface in question is ruTorrent.)
Comment 2•12 years ago
|
||
From what I see this is a duplicate to:
https://bugzilla.mozilla.org/show_bug.cgi?id=1031530 which is currently on try and about to land shortly.
Comment 3•12 years ago
|
||
Reuben, https://bugzilla.mozilla.org/show_bug.cgi?id=1031530 landed, that should have resolved the problem, can you verify and close this bug if it works correctly?
Flags: needinfo?(reuben.bmo)
| Reporter | ||
Comment 4•12 years ago
|
||
I will when it hits Nightly tomorrow.
| Reporter | ||
Comment 5•12 years ago
|
||
Yep, it's working :D
Status: NEW → RESOLVED
Closed: 12 years ago
Flags: needinfo?(reuben.bmo)
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•