Closed Bug 1333929 Opened 7 years ago Closed 7 years ago

Reftest analyzer fails to load with new Content Security Policy header

Categories

(Developer Services :: Mercurial: hg.mozilla.org, defect)

Product:
Developer Services
Component:
Mercurial: hg.mozilla.org
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: neerja, Assigned: gps)

References

Details

Attachments

(1 file)

ansible/hg-web: define liberal CSP policy for reftest analyzer (bug 1333929);
59 bytes, text/x-review-board-request
fubar
: review+
Details 
Treeherder link:
https://treeherder.mozilla.org/#/jobs?repo=try&revision=3bdc7fb45628307448cda428bf984105baa60c12&selectedJob=71363018

Output from Chrome's developer console:
Failed to load resource: the server responded with a status of 404 (Not Found)

Refused to connect to 'https://public-artifacts.taskcluster.net/KQYN-Sa9TBmXR3m8GaXXwg/0/public/logs/live_backing.log' because it violates the following Content Security Policy directive: "connect-src 'self' https://bugzilla.mozilla.org/ https://archive.mozilla.org/ https://queue.taskcluster.net/".
Blocks: 1319172
Here is the direct link to reftest analyzer that used to work but is now failing:
https://hg.mozilla.org/mozilla-central/raw-file/tip/layout/tools/reftest/reftest-analyzer.xhtml#logurl=https://queue.taskcluster.net/v1/task/KQYN-Sa9TBmXR3m8GaXXwg/runs/0/artifacts/public/logs/live_backing.log&only_show_unexpected=1

Steps to reproduce is just to click this link above. 

edmorley seem to be referencing the same issue here:
https://bugzilla.mozilla.org/show_bug.cgi?id=1319172#c38
Depends on: 1200501
Pushed by gszorc@mozilla.com:
https://hg.mozilla.org/hgcustom/version-control-tools/rev/47639c94de37
ansible/hg-web: add public-artifacts.taskcluster.net to CSP connect-src
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
This will be deployed in ~20 minutes.
This is deployed but the reftest analyzer is still failing. This time it complains about image-src and data:. I could chase this rabbit hole all day. Or I could just wait for bug 1200501, which I'm inclined to do.
Ah the new errors only appear after clicking the filename on the left.

Content Security Policy: The page's settings blocked the loading of a resource at data:image/png;base64,iVBORw0KGgoAAAANSU... ("img-src https://hg.mozilla.org").

Bug 1200501 is not going to be fixed overly soon, since we'll need security review (or adding a CSP header) before adding this to Treeherder, due to the risk of XSS revealing Treeherder credentials (or worse, the taskcluster tokens stored in localstorage).
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Summary: Reftest analyzer fails to load logs due to Content Security Policy directive: "connect-src 'self' → Reftest analyzer fails to load with new Content Security Policy header
Comment on attachment 8830586 [details]
ansible/hg-web: define liberal CSP policy for reftest analyzer (bug 1333929);

https://reviewboard.mozilla.org/r/107334/#review108754

I started to suggest using an <if ... && ... > block and then realized you were moving away from that. I feel like there's a better way to do this, but it looks like it will DTRT and I'm happy to let it go for expediency.
Attachment #8830586 - Flags: review?(klibby) → review+
Assignee: nobody → gps
Status: REOPENED → ASSIGNED
Comment on attachment 8830586 [details]
ansible/hg-web: define liberal CSP policy for reftest analyzer (bug 1333929);

https://reviewboard.mozilla.org/r/107334/#review108754

I could have done it with an `<if X && Y>` block where `X` is the user-agent/query string detection and `Y` is the URL. However, the expression would have been long and redundant. I felt this was uglier.

I would love to find a cleaner way to write this. But every iteration I tried failed :/
Pushed by gszorc@mozilla.com:
https://hg.mozilla.org/hgcustom/version-control-tools/rev/a32e19f15756
ansible/hg-web: define liberal CSP policy for reftest analyzer ; r=fubar
Status: ASSIGNED → RESOLVED
Closed: 7 years ago7 years ago
Resolution: --- → FIXED
This is deployed. reftest analyzer appears to be working.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: