Closed Bug 1111339 Opened 5 years ago Closed 5 years ago

[e10s] CSP 'frame-src https:' stops user from navigating to http pages that redirect to a different http location


(Core :: DOM: Security, defect)

Not set





(Reporter: sjakthol, Unassigned)


Steps to reproduce:
0. Use Nightly and have e10s enabled
1. Go to
2. Type "" to the URL bar and press enter

What happens:
Google homepage is not loaded and CSP violation is logged to the webconsole.

What should happen:
Google homepage is loaded as that's what the user requested.

I've determined that following conditions are necessary to trigger this bug:
- e10s must be enabled - this does not happen in non-e10s windows.
- the original page ( in STR) must have "frame-src https:" in the CSP header
- the target page ( in STR) must redirect with 301 or 302 to a http Location; the redirect target is the blocked URL.

So for STR the requests and responses are:
- GET => 200 OK; content-security-policy: <see few lines below>
- GET => 301 Moved Permanently; Location:
- GET => Blocked by CSP.

Here's the full CSP header of
> content-security-policy: default-src 'self'; connect-src 'self'; font-src 'self' https://* data:; frame-src 'self'; frame-ancestors 'self'; img-src 'self' https://* data:; media-src 'self' https://*; object-src 'none'; script-src 'self' https://*; style-src 'self' https://*; report-uri<random-looking-string>&ro=false;

Here's the body of CSP report sent to
> {
>   "csp-report": {
>     "blocked-uri":"",
>     "document-uri":"",
>     "original-policy":"default-src https:; connect-src https:; font-src https: data:; frame-src https: twitter:; frame-ancestors https:; img-src https: data:; media-src https:; object-src https:; script-src 'unsafe-inline' 'unsafe-eval' https:; style-src 'unsafe-inline' https:; report-uri<random-looking-string>&ro=false",
>     "referrer":"",
>     "violated-directive":"frame-src https: twitter:"
>   }
> }

Here's a CSP header for minimal test case:
> content-security-policy: frame-src https:; report-uri http://localhost/csp

Here's the body of CSP report for the above minimal test case:
> {
>   "csp-report": {
>     "blocked-uri":"",
>     "document-uri":"http://localhost/",
>     "original-policy":"frame-src https:; report-uri http://localhost/csp",
>     "referrer":"",
>     "violated-directive":"frame-src https:"
>   }
> }
Summary: [e10s] CSP stops user from navigating from https to http pages → [e10s] CSP 'frame-src https:' stops user from navigating to http pages that redirect to a different http location
Flags: needinfo?(mrbkap)
Closed: 5 years ago
Flags: needinfo?(mrbkap)
Resolution: --- → DUPLICATE
Duplicate of bug: 1112782
You need to log in before you can comment on or make changes to this bug.