Closed
Bug 1089746
Opened 10 years ago
Closed 10 years ago
CSP: Investigate why tests are not passing for font-src on http://csptesting.herokuapp.com/
Categories
(Core :: DOM: Security, defect, P2)
Core
DOM: Security
Tracking
()
RESOLVED
INVALID
People
(Reporter: ckerschb, Assigned: ckerschb)
References
(Blocks 1 open bug)
Details
I was looking for online CSP tests and apparently we do not pass all font-src tests on: http://csptesting.herokuapp.com/ - we should investigate that!
|
Assignee | |
Comment 1•10 years ago
|
||
Note, here is the source for the tests: https://github.com/eoftedal/csp-testing
|
|
Assignee | |
Updated•10 years ago
|
Assignee: nobody → mozilla
Priority: -- → P2
|
|
Assignee | |
Comment 2•10 years ago
|
||
None of the failing tests on http://csptesting.herokuapp.com/ are caused by CSP problems in our implementation - we can close this bug as invalid! Here is a list of failing tests and why they are failing! > 111 Load font from font-src with redirect from allowed to allowed > 117 Load font from font-src with redirect from allowed to allowed Our CSP implementation can handle redirects correctly. Worth mentioning is that all other redirect tests on that page pass. The web console shows the following error for test 111 and 117: > downloadable font: download failed (font-family: "myFirstFont" style:normal weight:normal stretch:normal src index:0): bad URI or cross-site access not allowed source: http://csptesting.insecurelabs.org/redirect/pass/111?_=1416505940.3087204 > 171 SVG - scripting event handler This test using a policy of |script-src 'unsafe-inline'| and is not blocked by our CSP, and in fact should not be blocked. It seems the test is wrong. Our implementation seems to align with Chrome, where the test is also failing because Chrome also allows the load. Interesting to inspect was test > 172 SVG - scripting event handler which uses a policy of |script-src 'self'| which is correctly blocked by our CSP (also blocked in Chrome). > 183 Sandbox > 185 Sandbox The last two tests are failing because we haven't landed |Bug 671389 - Implement CSP sandbox directive| yet. The tests use a CSP of |sandbox| and |sandbox allow-scripts| respectively. Bug 671389 supplies test coverage for sandbox directives, we should still revisit the testpage to make sure everything works as expected once Bug 671389 landed.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•