Closed Bug 1334158 Opened 7 years ago Closed 7 years ago

Lightbox images CSP error on bug modal

Categories

(bugzilla.mozilla.org :: General, defect, P1)

Product:
bugzilla.mozilla.org
Component:
General
Version:
Production
Type:
defect

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: dylan, Assigned: dylan)

References

Details

Attachments

(1 file)

1334158_1.patch
4.82 KB, patch
dkl
: review+
Details | Diff | Splinter Review 
img-src needs to include the attachments domain
Blocks: 1334160
Attached patch 1334158_1.patchSplinter Review 
Assignee: nobody → dylan
Status: NEW → ASSIGNED

        Attachment #8830784 -
        Flags: review?(dkl)

    
    

    
  
for this, we're adding the attachment base to the img-src rule -- this will always include a trailing slash, does that matter for any reason?

example (from a dev instance): default-src 'self'; child-src 'self' https://ashughes1.github.io/bugzilla-socorro-lens/chart.htm; connect-src 'self' https://brasstacks.mozilla.com/orangefactor/api/count; img-src 'self' https://secure.gravatar.com http://bug888.bugzilla.vm/1334158/; object-src http://bugzilla.vm/1334158/extensions/BugModal/web/ZeroClipboard/ZeroClipboard.swf; script-src 'self' 'nonce-ddQii9uT6Oe8xZquL5NpfEui2u3571tdzeLLnZV6dIAevTOJ' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-ancestors 'none'; form-action 'self' https://www.google.com/search
Flags: needinfo?(april)

    
  
Severity: normal → major
Priority: -- → P1

    
    

    
  
With CSP, if it has a trailing slash, it is that URL and any URLs underneath it.  If it lacks a trailing slash, then it is only that URL and that URL specifically.

img-src https://www.example.com/images   <-- only a file called images
img-src https://www.example.com/images/  <-- any images inside the images directory
Flags: needinfo?(april)

    
    

    
  
I should add that I believe that these are identical:

img-src https://www.example.com
img-src https://www.example.com/

But I usually only see the first one in practice.

    
    

    
  
Comment on attachment 8830784 [details] [diff] [review]
1334158_1.patch

Review of attachment 8830784 [details] [diff] [review]:
-----------------------------------------------------------------

r=dkl

        Attachment #8830784 -
        Flags: review?(dkl) → review+

    
    

    
  
To git@github.com:mozilla-bteam/bmo.git
   c768148..e320945  master -> master
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED

    
    

    
  
this change is now live.

dkl

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: