Open Bug 1306673 Opened 8 years ago Updated 8 years ago

Send correct CSP for attachments.cgi

Categories

(Bugzilla :: Attachments & Requests, defect)

5.1.1
defect
Not set
major

Tracking

()

Bugzilla 6.0

People

(Reporter: LpSolit, Unassigned)

References

Details

(Keywords: regression)

Due to default_src => [ 'self' ] set in bug 1286287, attachments that the browser can usually display itself (such as images and SVG files) are no longer viewable in the attachment "Details" page. Firefox throws the following message in the error console (translated from french): "Content Security Policy: The page settings prevented the loading of a resource" There is no reason to prevent them from being displayed in the iframe. Bugzilla already passes the HTML5 'sandbox' attribute to prevent code execution.
I suspect we'll find more of these. Possibly when I fix this, I'll make the default to be "Report-Only" so that 1) we can find more of these that don't work 2) it doesn't break things for people running on master. sound good?
Assignee: attach-and-request → dylan
I don't think Report-Only is useful. We should rather whitelist the URL specified in the attachment_base parameter.
Assignee: dylan → dylan
Assignee: dylan → attach-and-request
Summary: Images and SVG files are no longer viewable in the attachment "Details" page due to CSP restrictions → Send correct CSP for attachments.cgi
You need to log in before you can comment on or make changes to this bug.