Closed
Bug 1303086
Opened 8 years ago
Closed 7 years ago
resource://devtools/client/jsonview/blocked by site's base-uri CSP directive (on dev-edition)
Categories
(DevTools :: JSON Viewer, defect, P2)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 1316393
People
(Reporter: eviljeff, Assigned: Honza)
References
()
Details
If a site's CSP rules disallow external scripts then any JSON response from that site is broken because the devtools jsonview inserts the response headers as extra content on the end (making it invalid JSON); then tries to insert a script to handle it which is blocked by the CSP e.g. https://addons.allizom.org/blocked/blocklists.json results in this CSP error: Content Security Policy: The page’s settings blocked the loading of a resource at resource://devtools/client/jsonview/ (“base-uri https://addons.allizom.org https://addons.mozilla.org https://addons.allizom.org”). AMO generates it's CSP rules here: https://github.com/mozilla/addons-server/blob/master/src/olympia/lib/settings_base.py
Reporter | ||
Comment 1•8 years ago
|
||
https://github.com/mozilla/addons-server/blob/master/src/olympia/lib/settings_base.py#L1259 onwards, more precisely.
Comment 2•8 years ago
|
||
In this specific case "resource://devtools/client/jsonview/" appears to be being blocked by the base-uri directive. The expected outcome would be that devtools should not be impacted by a site's CSP configuration.
Updated•8 years ago
|
Summary: JSON from websites with a CSP preventing scripts are broken by devtools json view (on dev-edition) → resource://devtools/client/jsonview/blocked by site's base-uri CSP directive (on dev-edition)
Reporter | ||
Updated•8 years ago
|
Assignee: nobody → odvarko
Component: Developer Tools → Developer Tools: JSON Viewer
Assignee | ||
Updated•8 years ago
|
Priority: -- → P2
Comment 4•7 years ago
|
||
The link in comment 0 is broken, but this should have been fixed in bug 1316393.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Updated•6 years ago
|
Product: Firefox → DevTools
You need to log in
before you can comment on or make changes to this bug.
Description
•