Closed Bug 1033001 Opened 12 years ago Closed 12 years ago

XHR doesn't respect connect-src after CPP CSP

Categories

(Core :: DOM: Security, defect)

defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 1031530

People

(Reporter: reuben, Unassigned)

References

Details

When trying to use the rTorrent WebUI on Nightly I ran into CSP problems. The policy is: Content-Security-Policy: default-src 'none'; img-src 'self' data:; frame-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; The page is trying to XHR a script in the same subdomain and getting rejected with the following error message: Content Security Policy: The page's settings blocked the loading of a resource at https://foo.bar.ca/webui/php/getplugins.php ("default-src 'none'"). Content Security Policy: The page's settings blocked the loading of a resource at https://foo.bar.ca/webui/php/getsettings.php ("default-src 'none'"). I don't understand why we're falling back to the default-src directive when there's a connect-src in the CSP line.
(The web interface in question is ruTorrent.)
From what I see this is a duplicate to: https://bugzilla.mozilla.org/show_bug.cgi?id=1031530 which is currently on try and about to land shortly.
Reuben, https://bugzilla.mozilla.org/show_bug.cgi?id=1031530 landed, that should have resolved the problem, can you verify and close this bug if it works correctly?
Flags: needinfo?(reuben.bmo)
I will when it hits Nightly tomorrow.
Yep, it's working :D
Status: NEW → RESOLVED
Closed: 12 years ago
Flags: needinfo?(reuben.bmo)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.