Closed Bug 1388378 Opened 7 years ago Closed 7 years ago

stylo: CSP errors reported for @font-face declarations in unrelated documents

Categories

(Core :: CSS Parsing and Computation, defect)

Product:
Core
Component:
CSS Parsing and Computation
Platform:
x86_64
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1384741

People

(Reporter: yousef, Unassigned)

References

Details

Attachments

(2 files)

mozillians-production sentry logs
81.15 KB, image/png
Details
abU6.png
210.23 KB, image/png
Details
I don't actually know if this is an issue with WebExtensions or Nightly itself, but it seems more likely to be WebEx so I'm filing it here. For the past couple of weeks I've noticed a huge uptick in the number of CSP violations on mozillians.org from Nightly 57 users, and the violating domains are not malicious at all. It turns out a lot of these domains are domains from other tabs that I have open (and I assume it's the same for other users). It seems to try and load fonts from other sites (The URLs that violate CSP are valid URLs) and I've seen this happen on both mozillians.org and mozilla.org. I know of one other person who has reproduced this behavior, and the addons we have in common are Containers and uBlock.
Attached image abU6.png
What extensions do you have installed?
Sorry, reading it back I realize I should have added all of my extensions: Activity Stream Test Pilot Containers Hostname in title (written by me, https://github.com/flamingspaz/hostname-in-title) uBlock origin :hmitsch runs these extensions https://www.dropbox.com/s/7mlyzy58v9zx1r9/Screenshot%202017-08-08%2015.48.18.png?dl=0 I did originally think it was my extension that was causing the issue, but disabling it doesn't help. I also did more testing and it never seems to happen when the browser is just started, only after a while. Additionally it generates the CSP errors in private tabs with the domains from non-private browsing.
Hm. Well, that version of uBlock origin is not a WebExtension, so it seems unlikely that the WebExtensions framework has anything to do with this. Individual WebExtensions could certainly cause something like this, though. If I had to guess, my best bets would be: 1) We share preloaded extension stylesheets between documents, and it's conceivable that that could cause some issues with font face definitions across documents with shared sheets. But legacy uBlock origin doesn't use this method. 2) It may have something to do with the devtools inspector. 3) It may have something to do with stylo. This seems the most likely bet, since I immediately see this problem after switching on stylo, restarting, and opening Django docs followed by mozillians.
Blocks: stylo
Group: toolkit-core-security → core-security
Component: WebExtensions: Untriaged → CSS Parsing and Computation
Product: Toolkit → Core
Summary: WebExtension(s)/Nightly leaking domains via CSP → stylo: CSP errors reported for @font-face declarations in unrelated documents
Group: core-security → layout-core-security
Pretty sure this is related to bug 1384741, not sure if a duplicated or not.
Yeah, sounds like a dupe of that, I have stylo enabled. Thanks all!
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Group: layout-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: