Closed Bug 1388378 Opened 6 years ago Closed 6 years ago

stylo: CSP errors reported for @font-face declarations in unrelated documents


(Core :: CSS Parsing and Computation, defect)

Not set





(Reporter: yousef, Unassigned)




(2 files)

I don't actually know if this is an issue with WebExtensions or Nightly itself, but it seems more likely to be WebEx so I'm filing it here.

For the past couple of weeks I've noticed a huge uptick in the number of CSP violations on from Nightly 57 users, and the violating domains are not malicious at all. It turns out a lot of these domains are domains from other tabs that I have open (and I assume it's the same for other users). It seems to try and load fonts from other sites (The URLs that violate CSP are valid URLs) and I've seen this happen on both and

I know of one other person who has reproduced this behavior, and the addons we have in common are Containers and uBlock.
Attached image abU6.png
What extensions do you have installed?
Sorry, reading it back I realize I should have added all of my extensions:

Activity Stream
Test Pilot
Hostname in title (written by me,
uBlock origin

:hmitsch runs these extensions

I did originally think it was my extension that was causing the issue, but disabling it doesn't help. I also did more testing and it never seems to happen when the browser is just started, only after a while. Additionally it generates the CSP errors in private tabs with the domains from non-private browsing.
Hm. Well, that version of uBlock origin is not a WebExtension, so it seems unlikely that the WebExtensions framework has anything to do with this. Individual WebExtensions could certainly cause something like this, though.

If I had to guess, my best bets would be:

1) We share preloaded extension stylesheets between documents, and it's conceivable that that could cause some issues with font face definitions across documents with shared sheets. But legacy uBlock origin doesn't use this method.

2) It may have something to do with the devtools inspector.

3) It may have something to do with stylo. This seems the most likely bet, since I immediately see this problem after switching on stylo, restarting, and opening Django docs followed by mozillians.
Blocks: stylo
Group: toolkit-core-security → core-security
Component: WebExtensions: Untriaged → CSS Parsing and Computation
Product: Toolkit → Core
Summary: WebExtension(s)/Nightly leaking domains via CSP → stylo: CSP errors reported for @font-face declarations in unrelated documents
Group: core-security → layout-core-security
Pretty sure this is related to bug 1384741, not sure if a duplicated or not.
Yeah, sounds like a dupe of that, I have stylo enabled. Thanks all!
Closed: 6 years ago
Resolution: --- → DUPLICATE
Group: layout-core-security
You need to log in before you can comment on or make changes to this bug.