If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Safari doesn't indicate html5 required form fields, leading to confusion / inability to "save changes"

NEW
Unassigned

Status

()

bugzilla.mozilla.org
General
P3
normal
7 months ago
7 months ago

People

(Reporter: jwhitlock, Unassigned)

Tracking

Production
x86_64
Mac OS X

Details

(URL)

(Reporter)

Description

7 months ago
When creating a bug, Safari 10.0.3 (desktop) reports:

Failed to set referrer policy: The value 'origin-when-crossorigin' is not one of 'no-referrer', 'origin', 'no-referrer-when-downgrade', or 'unsafe-url'. Defaulting to 'no-referrer'.

This may be the HTML that triggers it:

<meta name="referrer" content="origin-when-crossorigin"><link rel="shortcut icon" href="extensions/BMO/web/images/favicon.ico"><meta name="robots" content="noarchive">

When viewing a bug (https://bugzilla.mozilla.org/show_bug.cgi?id=1344493), I get this error as well as:

Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.

Headers are:

X-content-security-policy: default-src 'self'; child-src 'self' https://ashughes1.github.io/bugzilla-socorro-lens/chart.htm; connect-src 'self' https://brasstacks.mozilla.com/orangefactor/api/count https://reviewboard.mozilla.org/api/extensions/mozreview.extension.MozReviewExtension/summary/; img-src 'self' https://secure.gravatar.com https://bug1344493.bmoattachments.org/; object-src https://bugzilla.mozilla.org/extensions/BugModal/web/ZeroClipboard/ZeroClipboard.swf; script-src 'self' 'nonce-Io0exvPKZZFx31tZQ4Tr1K7efnfxtGTeyw53KRaajRzzYvgb' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-ancestors 'none'; form-action 'self' https://www.google.com/search https://github.com/login/oauth/authorize https://github.com/login

Content-security-policy: default-src 'self'; child-src 'self' https://ashughes1.github.io/bugzilla-socorro-lens/chart.htm; connect-src 'self' https://brasstacks.mozilla.com/orangefactor/api/count https://reviewboard.mozilla.org/api/extensions/mozreview.extension.MozReviewExtension/summary/; img-src 'self' https://secure.gravatar.com https://bug1344493.bmoattachments.org/; object-src https://bugzilla.mozilla.org/extensions/BugModal/web/ZeroClipboard/ZeroClipboard.swf; script-src 'self' 'nonce-Io0exvPKZZFx31tZQ4Tr1K7efnfxtGTeyw53KRaajRzzYvgb' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-ancestors 'none'; form-action 'self' https://www.google.com/search https://github.com/login/oauth/authorize https://github.com/login

It does not say which script had an issue, but I am unable to change the product and component from Mozilla Developer Network / Security to NSS / Tests.

In Chrome 56.0.2924.87, I am able to set the product and component. The Tracking Version and Target are highlighted in red, to show that they must be changed as well.  This may be the script that is unable to load.
(Reporter)

Updated

7 months ago
Summary: Safari errors on CSP referrer policy, can't change product → Safari errors on CSP referrer, script nonce, can't change product
Both of those warnings are harmless (I think). The script error is jquery checking for onclick (unless I'm mistaken, I'll take a look).

The second one is safari not supporting "origin-when-crossorigin"

The actual problem is that Safari doesn't entirely support the html5 form validation :required attribute.
Adding https://bugs.webkit.org/show_bug.cgi?id=28649 as a see-also.

I'll see there is an easy work around for this on monday.
Priority: -- → P2
This will need a polyfill. It doesn't *prevent* Safari from operating so adjusting the priority down.
Priority: P2 → P3
Summary: Safari errors on CSP referrer, script nonce, can't change product → Safari doesn't indicate html5 required form fields, leading to confusion / inability to "save changes"
You need to log in before you can comment on or make changes to this bug.