Closed Bug 1094053 Opened 10 years ago Closed 6 years ago

Firefox OS 2.0~ simulator cannot connect twitter oauth or any other page with CSP directive like: frame-ancestors https://*:*

Categories

(Firefox OS Graveyard :: Simulator, defect)

Product:
Firefox OS Graveyard
Component:
Simulator
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: bugzilla, Unassigned)

Details

In Firefox OS Simulator, we cannot connect to Twitter OAuth page:
https://api.twitter.com/oauth/authenticate?oauth_token=**********

Error message:
  Unable to connect
  A network error occurred while
  trying to reach the site.

At that time, CSP violation report will be send to:
https://twitter.com/i/csp_report?a=********&ro=false

{"csp-report":{
  "document-uri":"https://api.twitter.com/oauth/authenticate?oauth_token=**********",
  "referrer":"https://atnd.org/login",
  "blocked-uri":"app://browser.gaiamobile.org/index.html",
  "violated-directive":"frame-ancestors https://*:*"}
}


CSP directive "frame-ancestors https://*:*" require parent frame origin use https:// but Browser's origin use app://. I believe this cause CSP error.

In simulator, Browser should not be treated as parent frame of CSP content.
# works fine on FxOS devices, reproduced only on Simulator
Summary: Unable to connect twitter oauth or any other page with CSP directive liek frame-ancestors https://*:* → Unable to connect twitter oauth or any other page with CSP directive like: frame-ancestors https://*:*
One more note:
CSP directive of Twitter OAuth page (https://api.twitter.com/oauth/authenticate?oauth_token=**********) is:

content-security-policy: "default-src https:; connect-src https:; font-src https: data:; frame-src https:; frame-ancestors https:; img-src https: data:; media-src https:; object-src https:; script-src 'unsafe-inline' 'unsafe-eval' https:; style-src 'unsafe-inline' https:; report-uri https://twitter.com/i/csp_report?a=**********&ro=false;"
(In reply to dynamis (Tomoya ASAI) from comment #0)
> In simulator, Browser should not be treated as parent frame of CSP content.
> # works fine on FxOS devices, reproduced only on Simulator

reproduced only on Simulator 2.0 or later:
  Reproduced on Firefox OS Simulator 2.2
  Reproduced on Firefox OS Simulator 2.0
  Works fine on Firefox OS Simulator 1.4
Summary: Unable to connect twitter oauth or any other page with CSP directive like: frame-ancestors https://*:* → Firefox OS 2.0~ simulator cannot connect twitter oauth or any other page with CSP directive like: frame-ancestors https://*:*
Alex, since this works on devices apparently, would it be an issue with the simulator being non-OOP, or something else?
Flags: needinfo?(poirot.alex)
It looks like it, it seems to work if I enable OOP, but the rocketbar crashes when OOP is on so that it becomes very hard to open a URL :s
Having said that, ideally, CSP would also work in non-OOP...
Flags: needinfo?(poirot.alex)
Firefox OS is not being worked on
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.