Closed
Bug 1155792
Opened 9 years ago
Closed 9 years ago
cnn.com home page shows low-resolution placeholder image until window is resized
Categories
(Core :: Security, defect)
Core
Security
Tracking
()
RESOLVED
WORKSFORME
| Tracking | Status | |
|---|---|---|
| firefox39 | --- | unaffected |
| firefox40 | + | fixed |
| firefox41 | --- | fixed |
People
(Reporter: cpeterson, Assigned: ckerschb)
References
Details
(Keywords: regression, reproducible, site-compat)
Attachments
(1 file)
|
1.89 MB,
image/png
|
Details |
cnn-screenshot.png
The low-resolution placeholder image is supposed to be quickly replaced by a high-resolution image. In Nightly 40, the image is now replaced until I resize the window or (sometimes) wait 10+ seconds. See attached screenshot. I am using OS X 10.10. This seems to be a recent regression. mozregression bisected to this mozilla-central pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=883e17fc475f&tochange=ab0490972e1e and then narrowed to libvpx bug 1137614. This seems like an unlikely cause, so I don't trust this regression range.
|
Reporter | |
Comment 1•9 years ago
|
||
Christoph, now that I better understand this bug's STR, I bisected this regression again and landed on this pushlog: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=2e0ebba4a766&tochange=183190289b9c Could this bug be a regression from your fix for CSP bug 1086999?
Flags: needinfo?(mozilla)
|
||
Comment 2•9 years ago
|
||
(Do you see any Content Security Policy messages in the Browser Console, when you hit this bug? [and are those messages missing in pre-regression builds?] If so, that'd be a strong sign that comment 1 is correct.)
|
||
Comment 3•9 years ago
|
||
via local build: Last Good: 8bd316ad33c6 First Bad: 3aaf3cccabac Triggered by 3aaf3cccabac Christoph Kerschbaumer — Bug 1086999 - CSP: Asterisk (*) wildcard should not allow blob:, data:, or filesystem: when matching source expressions (r=sstamm)
Blocks: CVE-2015-4490
Keywords: regressionwindow-wanted
|
|
||
Updated•9 years ago
|
OS: Mac OS X → All
|
|
Reporter | |
Comment 4•9 years ago
|
||
(In reply to Daniel Holbert [:dholbert] from comment #2) > (Do you see any Content Security Policy messages in the Browser Console, > when you hit this bug? [and are those messages missing in pre-regression > builds?] If so, that'd be a strong sign that comment 1 is correct.) Yes. I see this CSP error that I don't see with Aurora 39: Content Security Policy: The page's settings blocked the loading of a resource at data:image/gif;base64,R0lGODlhEAAJAJEAAAAAAP///////wAAACH5BAEAAAIALAAAAAAQAAkAAAIKlI+py+0Po5yUFQA7 ("img-src http://www.cnn.com *").
|
|
||
Comment 5•9 years ago
|
||
(I see that, too, though I can't reproduce this bug [on linux] -- and more importantly, that particular data URL seems to just be a 16x9 blank spacer GIF. So I think that error may be a red herring. I wonder where the real high-res content is getting blocked.)
|
|
||
Comment 6•9 years ago
|
||
Anyway -- reclassifying in Security, given comment 1 and comment 3.
Component: Layout → Security
Version: unspecified → Trunk
|
|
||
Comment 7•9 years ago
|
||
[Tracking Requested - why for this release]: Web compat regression. Sounds like technically a bug in the site, helped along by the fact that absolutely no browser implemented the spec correctly until we landed that patch, no? Which might just mean the spec is not web-compatible and needs to change; we've had a number of regression reports about this now.
tracking-firefox40:
--- → ?
Flags: needinfo?(mkwst)
|
||
Comment 8•9 years ago
|
||
Any chance that https://bugzilla.mozilla.org/show_bug.cgi?id=1086999 could be backed out while its decided what is best course of action, whether file a Evangelism bug with CNN, or waiting for re-write/clarification of the spec ? Looking at blurry images is getting tiresome on eyes.
|
|
||
Comment 9•9 years ago
|
||
(In reply to Daniel Holbert [:dholbert] from comment #5) > (I see that, too, though I can't reproduce this bug [on linux] Ah, I can repro now, using a fresh profile. (I think I wasn't seeing this in my main browsing profile because of NoScript or one of my other add-ons modifying the page load behavior.) > I wonder where the real > high-res content is getting blocked. Following up on this -- when we fail, the img "src" attribute has been left pointing to a small image. Its "src" attribute is a URL that ends with "small-169.jpg". When I resize the window, the <img> src attribute changes to the same URL but with "exlarge-169.jpg" at the end. Also: I can work around this bug by toggling the about:config pref "security.csp.enable" to false, which confirms (if it wasn't already clear) that this issue is caused by CNN's CSP. (Not sure how that influences the setting of "src" attributes -- the spacer-gif load failure might cause them to take a different code-path through their loading JS code, I guess.) Jim, if this is *really* bothering you, you could conceivably use that as a temporary local workaround. :) Christoph, could you chime in here and take a look?
|
|
||
Updated•9 years ago
|
Hardware: x86 → All
|
|
||
Comment 10•9 years ago
|
||
@Daniel - thanks, flipping pref as noted in #comment 9 clears it up for now.
|
Assignee | |
Comment 11•9 years ago
|
||
(In reply to Daniel Holbert [:dholbert] from comment #9) > Christoph, could you chime in here and take a look? Yes, our CSP implementation blocks loading of data: schemes if not explicitly whitelisted. At the moment we have three pages that break because of the changes in Bug 1086999. We summarized our options here [1] and we will decide later this week. [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1086999#c34
Flags: needinfo?(mozilla)
|
||
Updated•9 years ago
|
Keywords: site-compat
|
||
Comment 12•9 years ago
|
||
Christoph, can you find an owner for this bug over the next week or so? Thanks!
Flags: needinfo?(mozilla)
|
||
Comment 13•9 years ago
|
||
A CNN engineer is now aware of this bug: https://twitter.com/ADSlaton/status/593829225058213889 > Thank you for the heads up. We will take a look.
|
|
Assignee | |
Comment 14•9 years ago
|
||
Thanks Mike for reaching out to CNN. Also, I will assign the bug to myself.
Assignee: nobody → mozilla
Flags: needinfo?(mozilla)
|
|
||
Comment 15•9 years ago
|
||
I re-checked this bug today using latest m-c win32 Nightly and the issue still exists. Any words on when CNN will fix this ?
|
|
Assignee | |
Comment 16•9 years ago
|
||
(In reply to Jim Jeffery not reading bug-mail 1/2/11 from comment #15) > I re-checked this bug today using latest m-c win32 Nightly and the issue > still exists. Any words on when CNN will fix this ? We are in contact with engineers at CNN and they are about to resolve the problem. I can't promise any timeline, but should happen fairly soon.
|
||
Comment 17•9 years ago
|
||
Just heard from the CNN site technical director: "we will work on our CSP implementation and if we have any questions we will reach out." Let's give them some time.
|
|
Reporter | |
Updated•9 years ago
|
status-firefox41:
--- → affected
|
|
||
Comment 18•9 years ago
|
||
Seems with the recent re-design of CNN's web site, the issue stated in this bug of images being displayed in 'place-holder' size has been fixed. I've not seen any issues with images for past 2-3 days after setting the pref: "security.csp.enable" back to default 'true' value. Tested in win32 m-c build from today's Nightly.
|
|
Assignee | |
Comment 19•9 years ago
|
||
(In reply to Jim Jeffery not reading bug-mail 1/2/11 from comment #18) > Seems with the recent re-design of CNN's web site, the issue stated in this > bug of images being displayed in 'place-holder' size has been fixed. Confirmed, this page works again. Not only have they restructured their page but also updated their CSP to explicitly whitelist 'data:', see: > img-src 'self' * data:; Thanks CNN!
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WORKSFORME
|
||
Updated•9 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•