Closed Bug 1347180 Opened 8 years ago Closed 8 years ago

Content Security Policy triggered on browser asset

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Version:
49 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: _+bugzilla, Unassigned)

References

(
URL
)

Details

(Keywords: testcase)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:51.0) Gecko/20100101 Firefox/51.0 Build ID: 20170125094131 Steps to reproduce: - cleared history - visited site with Content-Security-Policy: "default-src 'self' 'unsafe-inline' 'unsafe-eval';" - had a number form field on page Actual results: Content Security Policy: The page’s settings blocked the loading of a resource at data:image/svg+xml,<svg%20xmlns="http://www.w3.org/2000/svg"%20width="6"%20height="5"><path%20d="M1,4%20L3,0%205,4"%20fill="dimgrey"/></svg> (“default-src http://localhost:82 'unsafe-inline' 'unsafe-eval'”). in debug console Expected results: https://gist.github.com/mndvns/dd4e37ecc896934d27a2 has a line under input[type=number]::-moz-number-spin-up that seems to match the error - inline SVG. This only shows up when history has been cleared.
Component: Untriaged → DOM: Security
Product: Firefox → Core
Do you have a page/testcase to provide to reproduce the issue?
Flags: needinfo?(_+bugzilla)
This is as minimal as I can get - php to make sure the right header is sent https://projects.sudrien.net/bugzilla_1347180.php
Flags: needinfo?(_+bugzilla)
It appears after bug 1206961: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=632811bf4b6e96b54709d125c298493d30576eb8&tochange=bf69c3219b5ef75454640e9eaf087a2650c0c0eb Christoph, is the CSP warning expected?
Flags: needinfo?(ckerschb)
Version: 52 Branch → 49 Branch
Mhm, that doesn't seem like a regression but rather like a web compatibility issue. Before we converted the imageLoader to use AsyncOpen2() probably CSP was not consulted for that load. Now CSP is consulted and since the CSP does not list 'data:' explicitly it is blocked by the browser. Does the problem go away if you change your CSP to: > Content-Security-Policy: "default-src 'self' 'unsafe-inline' 'unsafe-eval' data:"; Btw, using unsafe-inline as well as unsafe-eval does not buy you a whole lot of XSS protection through CSP.
Flags: needinfo?(ckerschb)
Blocks: 1206961
Christoph, adding data: to the allowed list does seem to remove the error message. https://projects.sudrien.net/bugzilla_1347180_1.php And thanks for the concern, I'm rewriting legacy inline js as time is available.
Glad that worked out - closing this bug as invalid in that case.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID
The data: is in browser stylesheets - not mine - but ok.
You need to log in before you can comment on or make changes to this bug.