Closed Bug 1066462 Opened 10 years ago Closed 10 years ago

CSP attribute in manifest doesnt block an external image

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1030936

People

(Reporter: pauljt, Unassigned)

References

Details

When testing 1021972, I found that the img-src directive doesnt restrict loading of images. For example, img-src 'self'; still allows loading of an image from a remote origin. STR: 1. Install app from https://github.com/pauljt/csptest 2. Scroll to bottom of app and choose "external image" link 3. A page is shown which attempts to load an external image Expected Results: Image is blocked Actual: Image is loaded as if there was no CSP.
Further notes: The extra CSP that this app opt into using the manifest is: "csp": "image-src 'self'; style-src 'self';" Note that the inline style appears to be blocked so it seemed this CSP is actually being set. Tested with https://github.com/pauljt/csptest/blob/master/inlinestyle.html
That's because the csp for certified apps is still using the hardcoded fastpath that only knows about the default certified csp. That should all be fixed once bug 1030936 is fixed.
(In reply to Fabrice Desré [:fabrice] from comment #2) > That's because the csp for certified apps is still using the hardcoded > fastpath that only knows about the default certified csp. That should all be > fixed once bug 1030936 is fixed. Ah ok thanks Fabrice!
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.