Closed
Bug 1187456
Opened 9 years ago
Closed 8 years ago
Javascript not executing correctly
Categories
(Core :: DOM: Security, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: barret, Unassigned)
References
Details
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/537.36 Build ID: 20150724004006 Steps to reproduce: 1. Go to https://hackpad.com/ep/account/sign-in 2. Open Console Actual results: In Fx 41 and 42 I am unable to sign in and there is a JavaScript error: TypeError: clientVars is undefined If I open the JS debugger and search for !clientVars, there is no reference for: var !clientVars = ... In Fx 39 I am able to sign in and there is no JavaScript error. If I open the JS debugger and search for !clientVars, there IS a reference for: var clientVars = ... Expected results: There should be no JavaScript error as the JS served is the same in both instances. You should be able to sign in. The JavaScript that is not executed is the following: <script type="text/javascript" nonce="7ff735370642ea9c6e71d0888eea6db242ccd299"> // <![CDATA[ var clientVars = {"facebookClientId":"145393915506961","initialSpaces":[{"id":1,"orgName":"hackpad","subDomain":"\x3c\x3cprivate-network>>","isDeleted":false,"lastLoginDate":0,"url":"https://hackpad.com/"}],"xsrf":"3969dbbfe85be9e6","isDogfood":false,"cdn":"https://d29bt26wntaesq.cloudfront.net"}; // ]]> </script> I have verified that this issue occurs in a new profile.
Comment 1•9 years ago
|
||
Browser console: Content Security Policy: Ignoring "'unsafe-inline'" within script-src: nonce-source or hash-source specified <unknown> Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src https://hackpad.com 'unsafe-inline' https://www.dropbox.com/static/api/1/dropins.js https://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js https://ssl.google-analytics.com/ga.js https://cdn.mxpnl.com/libs/mixpanel-2.1.min.js https://connect.facebook.net/en_US/all.js https://js.stripe.com/v1/ https://static.intercomcdn.com/intercom.v1.js https://widget.intercom.io/widget/ https://js.intercomcdn.com/ https://platform.twitter.com/widgets.js https://syndication.twitter.com/ https://gist.github.com/ https://d29bt26wntaesq.cloudfront.net/ 'nonce-3e54544516dfc55892bcc47cb69f6b6f574516f2'"). sign-in Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src https://hackpad.com 'unsafe-inline' https://www.dropbox.com/static/api/1/dropins.js https://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js https://ssl.google-analytics.com/ga.js https://cdn.mxpnl.com/libs/mixpanel-2.1.min.js https://connect.facebook.net/en_US/all.js https://js.stripe.com/v1/ https://static.intercomcdn.com/intercom.v1.js https://widget.intercom.io/widget/ https://js.intercomcdn.com/ https://platform.twitter.com/widgets.js https://syndication.twitter.com/ https://gist.github.com/ https://d29bt26wntaesq.cloudfront.net/ 'nonce-3e54544516dfc55892bcc47cb69f6b6f574516f2'"). sign-in:30:0 Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src https://hackpad.com 'unsafe-inline' https://www.dropbox.com/static/api/1/dropins.js https://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js https://ssl.google-analytics.com/ga.js https://cdn.mxpnl.com/libs/mixpanel-2.1.min.js https://connect.facebook.net/en_US/all.js https://js.stripe.com/v1/ https://static.intercomcdn.com/intercom.v1.js https://widget.intercom.io/widget/ https://js.intercomcdn.com/ https://platform.twitter.com/widgets.js https://syndication.twitter.com/ https://gist.github.com/ https://d29bt26wntaesq.cloudfront.net/ 'nonce-3e54544516dfc55892bcc47cb69f6b6f574516f2'"). sign-in:203:0 Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src https://hackpad.com 'unsafe-inline' https://www.dropbox.com/static/api/1/dropins.js https://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js https://ssl.google-analytics.com/ga.js https://cdn.mxpnl.com/libs/mixpanel-2.1.min.js https://connect.facebook.net/en_US/all.js https://js.stripe.com/v1/ https://static.intercomcdn.com/intercom.v1.js https://widget.intercom.io/widget/ https://js.intercomcdn.com/ https://platform.twitter.com/widgets.js https://syndication.twitter.com/ https://gist.github.com/ https://d29bt26wntaesq.cloudfront.net/ 'nonce-3e54544516dfc55892bcc47cb69f6b6f574516f2'"). sign-in:217:0 Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src https://hackpad.com 'unsafe-inline' https://www.dropbox.com/static/api/1/dropins.js https://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js https://ssl.google-analytics.com/ga.js https://cdn.mxpnl.com/libs/mixpanel-2.1.min.js https://connect.facebook.net/en_US/all.js https://js.stripe.com/v1/ https://static.intercomcdn.com/intercom.v1.js https://widget.intercom.io/widget/ https://js.intercomcdn.com/ https://platform.twitter.com/widgets.js https://syndication.twitter.com/ https://gist.github.com/ https://d29bt26wntaesq.cloudfront.net/ 'nonce-3e54544516dfc55892bcc47cb69f6b6f574516f2'"). sign-in:351:0 Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src https://hackpad.com 'unsafe-inline' https://www.dropbox.com/static/api/1/dropins.js https://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js https://ssl.google-analytics.com/ga.js https://cdn.mxpnl.com/libs/mixpanel-2.1.min.js https://connect.facebook.net/en_US/all.js https://js.stripe.com/v1/ https://static.intercomcdn.com/intercom.v1.js https://widget.intercom.io/widget/ https://js.intercomcdn.com/ https://platform.twitter.com/widgets.js https://syndication.twitter.com/ https://gist.github.com/ https://d29bt26wntaesq.cloudfront.net/ 'nonce-3e54544516dfc55892bcc47cb69f6b6f574516f2'"). sign-in:365:0 Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src https://hackpad.com 'unsafe-inline' https://www.dropbox.com/static/api/1/dropins.js https://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js https://ssl.google-analytics.com/ga.js https://cdn.mxpnl.com/libs/mixpanel-2.1.min.js https://connect.facebook.net/en_US/all.js https://js.stripe.com/v1/ https://static.intercomcdn.com/intercom.v1.js https://widget.intercom.io/widget/ https://js.intercomcdn.com/ https://platform.twitter.com/widgets.js https://syndication.twitter.com/ https://gist.github.com/ https://d29bt26wntaesq.cloudfront.net/ 'nonce-3e54544516dfc55892bcc47cb69f6b6f574516f2'"). sign-in:384:0 Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src https://hackpad.com 'unsafe-inline' https://www.dropbox.com/static/api/1/dropins.js https://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js https://ssl.google-analytics.com/ga.js https://cdn.mxpnl.com/libs/mixpanel-2.1.min.js https://connect.facebook.net/en_US/all.js https://js.stripe.com/v1/ https://static.intercomcdn.com/intercom.v1.js https://widget.intercom.io/widget/ https://js.intercomcdn.com/ https://platform.twitter.com/widgets.js https://syndication.twitter.com/ https://gist.github.com/ https://d29bt26wntaesq.cloudfront.net/ 'nonce-3e54544516dfc55892bcc47cb69f6b6f574516f2'"). sign-in:393:0 Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src https://hackpad.com 'unsafe-inline' https://www.dropbox.com/static/api/1/dropins.js https://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js https://ssl.google-analytics.com/ga.js https://cdn.mxpnl.com/libs/mixpanel-2.1.min.js https://connect.facebook.net/en_US/all.js https://js.stripe.com/v1/ https://static.intercomcdn.com/intercom.v1.js https://widget.intercom.io/widget/ https://js.intercomcdn.com/ https://platform.twitter.com/widgets.js https://syndication.twitter.com/ https://gist.github.com/ https://d29bt26wntaesq.cloudfront.net/ 'nonce-3e54544516dfc55892bcc47cb69f6b6f574516f2'"). sign-in:404:0 Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src https://hackpad.com 'unsafe-inline' https://www.dropbox.com/static/api/1/dropins.js https://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js https://ssl.google-analytics.com/ga.js https://cdn.mxpnl.com/libs/mixpanel-2.1.min.js https://connect.facebook.net/en_US/all.js https://js.stripe.com/v1/ https://static.intercomcdn.com/intercom.v1.js https://widget.intercom.io/widget/ https://js.intercomcdn.com/ https://platform.twitter.com/widgets.js https://syndication.twitter.com/ https://gist.github.com/ https://d29bt26wntaesq.cloudfront.net/ 'nonce-3e54544516dfc55892bcc47cb69f6b6f574516f2'"). sign-in:418:0 Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src https://hackpad.com 'unsafe-inline' https://www.dropbox.com/static/api/1/dropins.js https://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js https://ssl.google-analytics.com/ga.js https://cdn.mxpnl.com/libs/mixpanel-2.1.min.js https://connect.facebook.net/en_US/all.js https://js.stripe.com/v1/ https://static.intercomcdn.com/intercom.v1.js https://widget.intercom.io/widget/ https://js.intercomcdn.com/ https://platform.twitter.com/widgets.js https://syndication.twitter.com/ https://gist.github.com/ https://d29bt26wntaesq.cloudfront.net/ 'nonce-3e54544516dfc55892bcc47cb69f6b6f574516f2'"). sign-in:494:0 Pushlog: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=b1ba9eec8e44&tochange=1c5cc2480340 Tribbered by Bug 1004703 So, I guess this is the site problem
Blocks: 1004703
Reporter | ||
Comment 2•9 years ago
|
||
Alright, I'll try to reach out to them. Thanks!
Updated•9 years ago
|
Component: Untriaged → DOM: Security
Product: Firefox → Core
Comment 3•8 years ago
|
||
It seems this is not an issue anymore, just checked https://hackpad.com/ep/account/sign-in and no errors in the console. Marking this as INVALID anyway since it was not a Firefox issue, but rather a website related error.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•