https://analytics.twitter.com/about CSP rule broken with Nightly

RESOLVED INVALID

Status

()

RESOLVED INVALID
2 years ago
2 years ago

People

(Reporter: rhubscher, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

(Reporter)

Description

2 years ago
When logging in https://analytics.twitter.com/about

> Content Security Policy: La directive « frame-src » est obsolète. Veuillez utiliser la directive « child-src » à la place.

The "frame-src" directive is outdated, please use child-src instead.


> Content Security Policy: Les paramètres de la page ont empêché le chargement d’une ressource à self (« script-src 'unsafe-eval' https://analytics.twitter.com https://*.twimg.com https://twitter.com https://ton.twitter.com https://platform.twitter.com https://syndication.twitter.com https://ssl.google-analytics.com https://www.google-analytics.com https://bat.bing.com https://analytics.twitter.com https://static.ads-twitter.com https://s.pinimg.com »). Source: ;(function installGlobalHook(window) {
 ....

Preferences of the page prevent the loading of a resource.

« script-src 'unsafe-eval' https://analytics.twitter.com https://*.twimg.com https://twitter.com https://ton.twitter.com https://platform.twitter.com https://syndication.twitter.com https://ssl.google-analytics.com https://www.google-analytics.com https://bat.bing.com https://analytics.twitter.com https://static.ads-twitter.com https://s.pinimg.com »

Comment 1

2 years ago
I can't reproduce. I see the first warning about frame-src, but not the second warning. Tested with Nightly from Dec. 13 on OS X.

Can you reproduce on a clean profile? Do you need to be logged in to twitter to see this? Can you provide a minimal testcase that more clearly demonstrates something Firefox is doing wrong?

(Oddly, the page looks largely unstyled to me, and appears the same in beta 51 and in Chrome... perhaps you're seeing something else?)
Component: General → DOM: Security
Flags: needinfo?(rhubscher)
Product: Firefox → Core
(Reporter)

Comment 2

2 years ago
> the page looks largely unstyled to me

Yes that's why I thought we had a problem and looked at the console. But if you are telling me it is the same with Chrome maybe we shouldn't care about it. I am updating to Nightly Dec 13 and will get back to you.
(Reporter)

Comment 3

2 years ago
Created attachment 8818287 [details]
Here is what I am seeing when loading the page from nightly 2016-12-13
Flags: needinfo?(rhubscher)

Comment 4

2 years ago
(In reply to Rémy Hubscher (:natim) from comment #3)
> Created attachment 8818287 [details]
> Here is what I am seeing when loading the page from nightly 2016-12-13

Does this happen in a clean profile? I wonder if the CSP is interfering with an add-on script being loaded or something like that.
(Reporter)

Comment 5

2 years ago
Created attachment 8818290 [details]
From a new profile without any add-ons installed.

Comment 6

2 years ago
(In reply to Rémy Hubscher (:natim) from comment #5)
> Created attachment 8818290 [details]
> From a new profile without any add-ons installed.

OK, this matches what I'm seeing, and the website has now started looking non-terrible again, so I suppose there was a temporary bug on the Twitter side.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.