Spurious Content Security Policy errors in our PWA

RESOLVED DUPLICATE of bug 1358106

Status

()

Core
DOM: Security
RESOLVED DUPLICATE of bug 1358106
6 months ago
6 months ago

People

(Reporter: ashley, Unassigned)

Tracking

56 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

6 months ago
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Build ID: 20170615030208

Steps to reproduce:

1. Visit https://editor.construct.net/?skip-support-check


Actual results:

The console logs a lot of Content Security Policy errors of the form:

Content Security Policy: The page’s settings blocked the loading of a resource at self (“default-src https://editor.construct.net blob:”). Source: enable-background:new 0 0 438.533 438.53.... editor.construct.net
Content Security Policy: The page’s settings blocked the loading of a resource at self (“default-src https://editor.construct.net blob:”). editor.construct.net
Content Security Policy: The page’s settings blocked the loading of a resource at self (“default-src https://editor.construct.net blob:”). Source: enable-background:new 0 0 26 26;. editor.construct.net
Content Security Policy: The page’s settings blocked the loading of a resource at self (“default-src https://editor.construct.net blob:”). editor.construct.net
Content Security Policy: The page’s settings blocked the loading of a resource at self (“default-src https://editor.construct.net blob:”). Source: fill:#030104;. editor.construct.net
Content Security Policy: The page’s settings blocked the loading of a resource at self (“default-src https://editor.construct.net blob:”). editor.construct.net
Content Security Policy: The page’s settings blocked the loading of a resource at self (“default-src https://editor.construct.net blob:”). Source: fill:#030104;.


Expected results:

It's not clear why these errors are being logged. They do not appear to identify a specific resource that was blocked, and as far as I can tell looking around our PWA, nothing has actually failed to load.

I suspect the errors are spurious, but if not, they're unhelpful. They don't seem to make sense ("blocked the loading of a resource at self" when our CSP allows resources at "self") and they don't clearly identify a resource (either there is no resource mentioned or it's something mysterious like "enable-background:new 0 0 26 26" or "fill:#030104").

Chrome does not log any such errors.

Updated

6 months ago
Component: Untriaged → DOM: Security
(Reporter)

Comment 1

6 months ago
I looked in to this a bit more and it turns out we have some style attributes in SVG which appear to match the error messages. Seems that Chrome ignores them but Firefox logs an error - not sure which browser's correct here actually.
(Reporter)

Comment 2

6 months ago
Note we just published an update that works around the original issue; to see it please visit this URL instead: https://editor.construct.net/r38-2/?skip-support-check
This appears to be a duplicate of bug 1358106 -- we should not be applying CSP to the interior of a SVG loaded as an <img> tag.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 6 months ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1358106
You need to log in before you can comment on or make changes to this bug.