1157084 - Fastmail.com missing images due to CSP error

Status: RESOLVED FIXED

(Core :: DOM: Core & HTML, defect)

Description

[Fred Wenzel [:wenzel]]

Attachment: Fastmail UI: images missing (Fx40)

In the latest Firefox Nightlies, the main mail UI on fastmail.com (a mail provider) is not displaying correctly.

One example, the UI for "pinning" an email is supposed to be a pin, which is missing (screenshots attached).

Comment 1

[Fred Wenzel [:wenzel]]

Attachment: Fastmail UI: images present (Fx40 w/CSP disabled)

Same browser, fresh profile, security.csp.enable=false

Comment 2

[Fred Wenzel [:wenzel]]

The error console reads:

> Content Security Policy: The page's settings blocked the loading of a resource at data:image/png;base64,... ("img-src *").

So it's likely been caused by the fix in bug 1086999.

Comment 3

[Boris Zbarsky [:bzbarsky]]

[Tracking Requested - why for this release]: Web compat regression.

Comment 4

[Fred Wenzel [:wenzel]]

Note, I reached out to the fastmail engineers about this (waiting to hear back), because regardless of the strategy Firefox ends up shipping when Fx40 hits, it's probably wise for them to make their CSP adhere to the standard.

Comment 5

[Liz Henry (:lizzard) (relman/hg->git project)]

I don't think this needs tracking but instead I'll track the meta bug on CSP, for Firefox 40.

Comment 6

[Fred Wenzel [:wenzel]]

I received a reply; they rolled out a fix, and I can verify it's working again as it should on tonight's Nightly.

Their CSP, for the record, is now:

default-src 'self'; script-src 'self' 'unsafe-eval' https://api.pin.net.au https://api.stripe.com; style-src 'self' 'unsafe-inline'; font-src data:; img-src * data:; media-src 'none'; object-src 'none'; report-uri /log/csp