1187456 - Javascript not executing correctly

Status: RESOLVED INVALID

(Core :: DOM: Security, defect)

Description

[Barret Rennie [:barret] (they/them)]

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/537.36
Build ID: 20150724004006

Steps to reproduce:

1. Go to https://hackpad.com/ep/account/sign-in
2. Open Console


Actual results:

In Fx 41 and 42 I am unable to sign in and there is a JavaScript error:

TypeError: clientVars is undefined

If I open the JS debugger and search for !clientVars, there is no reference for:

    var !clientVars = ...

In Fx 39 I am able to sign in and there is no JavaScript error. If I open the JS debugger and search for !clientVars, there IS a reference for:

    var clientVars = ...



Expected results:

There should be no JavaScript error as the JS served is the same in both instances. You should be able to sign in.

The JavaScript that is not executed is the following:
   <script type="text/javascript" nonce="7ff735370642ea9c6e71d0888eea6db242ccd299">
  // <![CDATA[
var clientVars = {"facebookClientId":"145393915506961","initialSpaces":[{"id":1,"orgName":"hackpad","subDomain":"\x3c\x3cprivate-network>>","isDeleted":false,"lastLoginDate":0,"url":"https://hackpad.com/"}],"xsrf":"3969dbbfe85be9e6","isDogfood":false,"cdn":"https://d29bt26wntaesq.cloudfront.net"};
  // ]]>
</script>


I have verified that this issue occurs in a new profile.

Comment 1

[Alice0775 White]

Browser console:
Content Security Policy: Ignoring "'unsafe-inline'" within script-src: nonce-source or hash-source specified <unknown>

Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src https://hackpad.com 'unsafe-inline' https://www.dropbox.com/static/api/1/dropins.js https://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js https://ssl.google-analytics.com/ga.js https://cdn.mxpnl.com/libs/mixpanel-2.1.min.js https://connect.facebook.net/en_US/all.js https://js.stripe.com/v1/ https://static.intercomcdn.com/intercom.v1.js https://widget.intercom.io/widget/ https://js.intercomcdn.com/ https://platform.twitter.com/widgets.js https://syndication.twitter.com/ https://gist.github.com/ https://d29bt26wntaesq.cloudfront.net/ 'nonce-3e54544516dfc55892bcc47cb69f6b6f574516f2'"). sign-in

Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src https://hackpad.com 'unsafe-inline' https://www.dropbox.com/static/api/1/dropins.js https://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js https://ssl.google-analytics.com/ga.js https://cdn.mxpnl.com/libs/mixpanel-2.1.min.js https://connect.facebook.net/en_US/all.js https://js.stripe.com/v1/ https://static.intercomcdn.com/intercom.v1.js https://widget.intercom.io/widget/ https://js.intercomcdn.com/ https://platform.twitter.com/widgets.js https://syndication.twitter.com/ https://gist.github.com/ https://d29bt26wntaesq.cloudfront.net/ 'nonce-3e54544516dfc55892bcc47cb69f6b6f574516f2'"). sign-in:30:0

Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src https://hackpad.com 'unsafe-inline' https://www.dropbox.com/static/api/1/dropins.js https://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js https://ssl.google-analytics.com/ga.js https://cdn.mxpnl.com/libs/mixpanel-2.1.min.js https://connect.facebook.net/en_US/all.js https://js.stripe.com/v1/ https://static.intercomcdn.com/intercom.v1.js https://widget.intercom.io/widget/ https://js.intercomcdn.com/ https://platform.twitter.com/widgets.js https://syndication.twitter.com/ https://gist.github.com/ https://d29bt26wntaesq.cloudfront.net/ 'nonce-3e54544516dfc55892bcc47cb69f6b6f574516f2'"). sign-in:203:0

Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src https://hackpad.com 'unsafe-inline' https://www.dropbox.com/static/api/1/dropins.js https://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js https://ssl.google-analytics.com/ga.js https://cdn.mxpnl.com/libs/mixpanel-2.1.min.js https://connect.facebook.net/en_US/all.js https://js.stripe.com/v1/ https://static.intercomcdn.com/intercom.v1.js https://widget.intercom.io/widget/ https://js.intercomcdn.com/ https://platform.twitter.com/widgets.js https://syndication.twitter.com/ https://gist.github.com/ https://d29bt26wntaesq.cloudfront.net/ 'nonce-3e54544516dfc55892bcc47cb69f6b6f574516f2'"). sign-in:217:0

Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src https://hackpad.com 'unsafe-inline' https://www.dropbox.com/static/api/1/dropins.js https://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js https://ssl.google-analytics.com/ga.js https://cdn.mxpnl.com/libs/mixpanel-2.1.min.js https://connect.facebook.net/en_US/all.js https://js.stripe.com/v1/ https://static.intercomcdn.com/intercom.v1.js https://widget.intercom.io/widget/ https://js.intercomcdn.com/ https://platform.twitter.com/widgets.js https://syndication.twitter.com/ https://gist.github.com/ https://d29bt26wntaesq.cloudfront.net/ 'nonce-3e54544516dfc55892bcc47cb69f6b6f574516f2'"). sign-in:351:0

Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src https://hackpad.com 'unsafe-inline' https://www.dropbox.com/static/api/1/dropins.js https://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js https://ssl.google-analytics.com/ga.js https://cdn.mxpnl.com/libs/mixpanel-2.1.min.js https://connect.facebook.net/en_US/all.js https://js.stripe.com/v1/ https://static.intercomcdn.com/intercom.v1.js https://widget.intercom.io/widget/ https://js.intercomcdn.com/ https://platform.twitter.com/widgets.js https://syndication.twitter.com/ https://gist.github.com/ https://d29bt26wntaesq.cloudfront.net/ 'nonce-3e54544516dfc55892bcc47cb69f6b6f574516f2'"). sign-in:365:0

Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src https://hackpad.com 'unsafe-inline' https://www.dropbox.com/static/api/1/dropins.js https://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js https://ssl.google-analytics.com/ga.js https://cdn.mxpnl.com/libs/mixpanel-2.1.min.js https://connect.facebook.net/en_US/all.js https://js.stripe.com/v1/ https://static.intercomcdn.com/intercom.v1.js https://widget.intercom.io/widget/ https://js.intercomcdn.com/ https://platform.twitter.com/widgets.js https://syndication.twitter.com/ https://gist.github.com/ https://d29bt26wntaesq.cloudfront.net/ 'nonce-3e54544516dfc55892bcc47cb69f6b6f574516f2'"). sign-in:384:0

Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src https://hackpad.com 'unsafe-inline' https://www.dropbox.com/static/api/1/dropins.js https://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js https://ssl.google-analytics.com/ga.js https://cdn.mxpnl.com/libs/mixpanel-2.1.min.js https://connect.facebook.net/en_US/all.js https://js.stripe.com/v1/ https://static.intercomcdn.com/intercom.v1.js https://widget.intercom.io/widget/ https://js.intercomcdn.com/ https://platform.twitter.com/widgets.js https://syndication.twitter.com/ https://gist.github.com/ https://d29bt26wntaesq.cloudfront.net/ 'nonce-3e54544516dfc55892bcc47cb69f6b6f574516f2'"). sign-in:393:0

Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src https://hackpad.com 'unsafe-inline' https://www.dropbox.com/static/api/1/dropins.js https://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js https://ssl.google-analytics.com/ga.js https://cdn.mxpnl.com/libs/mixpanel-2.1.min.js https://connect.facebook.net/en_US/all.js https://js.stripe.com/v1/ https://static.intercomcdn.com/intercom.v1.js https://widget.intercom.io/widget/ https://js.intercomcdn.com/ https://platform.twitter.com/widgets.js https://syndication.twitter.com/ https://gist.github.com/ https://d29bt26wntaesq.cloudfront.net/ 'nonce-3e54544516dfc55892bcc47cb69f6b6f574516f2'"). sign-in:404:0

Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src https://hackpad.com 'unsafe-inline' https://www.dropbox.com/static/api/1/dropins.js https://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js https://ssl.google-analytics.com/ga.js https://cdn.mxpnl.com/libs/mixpanel-2.1.min.js https://connect.facebook.net/en_US/all.js https://js.stripe.com/v1/ https://static.intercomcdn.com/intercom.v1.js https://widget.intercom.io/widget/ https://js.intercomcdn.com/ https://platform.twitter.com/widgets.js https://syndication.twitter.com/ https://gist.github.com/ https://d29bt26wntaesq.cloudfront.net/ 'nonce-3e54544516dfc55892bcc47cb69f6b6f574516f2'"). sign-in:418:0

Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src https://hackpad.com 'unsafe-inline' https://www.dropbox.com/static/api/1/dropins.js https://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js https://ssl.google-analytics.com/ga.js https://cdn.mxpnl.com/libs/mixpanel-2.1.min.js https://connect.facebook.net/en_US/all.js https://js.stripe.com/v1/ https://static.intercomcdn.com/intercom.v1.js https://widget.intercom.io/widget/ https://js.intercomcdn.com/ https://platform.twitter.com/widgets.js https://syndication.twitter.com/ https://gist.github.com/ https://d29bt26wntaesq.cloudfront.net/ 'nonce-3e54544516dfc55892bcc47cb69f6b6f574516f2'"). sign-in:494:0

Pushlog:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=b1ba9eec8e44&tochange=1c5cc2480340

Tribbered by Bug 1004703

So, I guess this is the site problem

Comment 2

[Barret Rennie [:barret] (they/them)]

Alright, I'll try to reach out to them. Thanks!

Comment 3

[Christoph Kerschbaumer [:ckerschb]]

It seems this is not an issue anymore, just checked https://hackpad.com/ep/account/sign-in and no errors in the console. Marking this as INVALID anyway since it was not a Firefox issue, but rather a website related error.