CSP errors on phonebook.mozilla.org

RESOLVED FIXED

Status

Webtools
Phonebook
RESOLVED FIXED
a year ago
2 months ago

People

(Reporter: glob, Unassigned)

Tracking

Trunk

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

a year ago
Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src https://phonebook.mozilla.org”).
(Reporter)

Comment 1

a year ago
.. with devedition 50.0a2 (2016-08-14)
Firefox 48.0 shows this error:

22:08:09.517 Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src https://phonebook.allizom.org").

Safari 10 and Chrome 52 do not.
April, can you see what can possibly be triggering this error only on Firefox? All three browsers load the same resources and function equivalently.
Flags: needinfo?(april)

Updated

a year ago
Depends on: 1296027
I suspect that upgrading Prototype would make the error go away, but I suspect that Firefox is erroneously reporting so I've opened a bug with the DOM:Security team.

Prototype is binding an event to the form, so that's why my hunch lies there.
Flags: needinfo?(april)
(Reporter)

Comment 5

a year ago
(In reply to April King [:April] from comment #4)
> I suspect that upgrading Prototype would make the error go away[..]

unfortunately the phonebook is already running the latest version (v1.7.3).
Oh, boo.  I was confused by the fact that the copyright notice was from 2005-2010.  Anyways, this *is* a bug in Prototype.js, and I've filed an issue with them.

I don't think it affects the functioning of phonebook, outside of the console noise.
It appears that this particular block of code has been removed from Prototype.js release, so this error should go away whenever they release the newest version.
To summarize, this is a cosmetic issue, which we will resolve someday when Prototype.js releases an update.
Yup, exactly.  Prototype is (improperly) setting an event handler on a temporary DOM node -- never inserted into the page -- that it uses for browser feature detection.  They've said that code is already removed in GitHub, and the next release should be fine.
This is RESO FIXE on Phonebook trunk with the replacement of Prototype with Jquery, and will go live with other fixes scheduled to go soon.
Status: NEW → RESOLVED
Last Resolved: 2 months ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.