Closed Bug 1303086 Opened 8 years ago Closed 7 years ago

resource://devtools/client/jsonview/blocked by site's base-uri CSP directive (on dev-edition)

Categories

(DevTools :: JSON Viewer, defect, P2)

Product:
DevTools
Component:
JSON Viewer
Version:
50 Branch
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1316393

People

(Reporter: eviljeff, Assigned: Honza)

References

(
URL
)

Details

If a site's CSP rules disallow external scripts then any JSON response from that site is broken because the devtools jsonview inserts the response headers as extra content on the end (making it invalid JSON); then tries to insert a script to handle it which is blocked by the CSP

e.g. https://addons.allizom.org/blocked/blocklists.json

results in this CSP error:
Content Security Policy: The page’s settings blocked the loading of a resource at resource://devtools/client/jsonview/ (“base-uri https://addons.allizom.org https://addons.mozilla.org https://addons.allizom.org”).

AMO generates it's CSP rules here: https://github.com/mozilla/addons-server/blob/master/src/olympia/lib/settings_base.py
In this specific case "resource://devtools/client/jsonview/" appears to be being blocked by the base-uri directive.

The expected outcome would be that devtools should not be impacted by a site's CSP configuration.
Summary: JSON from websites with a CSP preventing scripts are broken by devtools json view (on dev-edition) → resource://devtools/client/jsonview/blocked by site's base-uri CSP directive (on dev-edition)
Assignee: nobody → odvarko
Component: Developer Tools → Developer Tools: JSON Viewer
Priority: -- → P2
The link in comment 0 is broken, but this should have been fixed in bug 1316393.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Product: Firefox → DevTools
You need to log in before you can comment on or make changes to this bug.