Open
Bug 1306673
Opened 8 years ago
Updated 8 years ago
Send correct CSP for attachments.cgi
Categories
(Bugzilla :: Attachments & Requests, defect)
Tracking
()
NEW
Bugzilla 6.0
People
(Reporter: LpSolit, Unassigned)
References
Details
(Keywords: regression)
Due to default_src => [ 'self' ] set in bug 1286287, attachments that the browser can usually display itself (such as images and SVG files) are no longer viewable in the attachment "Details" page. Firefox throws the following message in the error console (translated from french):
"Content Security Policy: The page settings prevented the loading of a resource"
There is no reason to prevent them from being displayed in the iframe. Bugzilla already passes the HTML5 'sandbox' attribute to prevent code execution.
Comment 1•8 years ago
|
||
I suspect we'll find more of these. Possibly when I fix this, I'll make the default to be "Report-Only" so that
1) we can find more of these that don't work
2) it doesn't break things for people running on master.
sound good?
Updated•8 years ago
|
Assignee: attach-and-request → dylan
Reporter | ||
Comment 2•8 years ago
|
||
I don't think Report-Only is useful. We should rather whitelist the URL specified in the attachment_base parameter.
Updated•8 years ago
|
Assignee: dylan → dylan
Updated•8 years ago
|
Assignee: dylan → attach-and-request
Summary: Images and SVG files are no longer viewable in the attachment "Details" page due to CSP restrictions → Send correct CSP for attachments.cgi
You need to log in
before you can comment on or make changes to this bug.
Description
•