Open Bug 1222695 Opened 10 years ago Updated 3 years ago

DOMParser triggers CSP reports on mac

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Version:
42 Branch
Platform:
Unspecified
macOS
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: amrod, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0 Build ID: 20151015125802 Steps to reproduce: I tried to parse a HTML string containing an image under a domain with CSP set to: "default 'self'". Example code: new DOMParser().parseFromString('<img src="http://example.com/img.png"/>', "text/html"); Running example: https://bug.bitwolk.nl/ This triggers a CSP report on firefox running on a MAC but not in linux. The DOMParser should not, and does not, query the image therefore there should not be a violation of the CSP. Tested with: Stable 42.0 and Aurora channel 44.0a2 (2015-11-07) on OS X 10.10.5 Actual results: Content Security Policy: The page's settings blocked the loading of a resource at http://example.com/img.png ("default-src https://bug.bitwolk.nl"). Expected results: Nothing
Component: Untriaged → Security
OS: Unspecified → Mac OS X
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.