User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:56.0) Gecko/20100101 Firefox/56.0 Build ID: 20171027085204 Steps to reproduce: When multiple Link headers (or possibly multiple values in a single header) are present - the CSP handler gets confused and incorrectly blocks the preload. This reproduces it in PHP: header("Content-Security-Policy: script-src 'self' cdn.jsdelivr.net; style-src 'self';"); // this fails incorrectly header("Link: </s/c.css>; rel=preload; as=style, </s/c.js>; rel=preload; as=script, <https://email@example.com/src-min-noconflict/worker-php.js>; rel=preload; as=script"); // this has the same values in a different order - and works // header("Link: </s/c.js>; rel=preload; as=script, </s/c.css>; rel=preload; as=style, <https://firstname.lastname@example.org/src-min-noconflict/worker-php.js>; rel=preload; as=script"); Actual results: Content Security Policy: The page’s settings blocked the loading of a resource at https://email@example.com/src-min-noconflict/worker-php.js (“style-src http://site.com”). Expected results: no error
2 years ago
Component: Untriaged → DOM: Security
Product: Firefox → Core
Dragana: This feels like it's broken in the link header processing of the "as=" bits -- is that something you're working on, or if not do you know who it would be?
I can take a look. preload is currently disabled. but it would be good to fix this.
Assignee: nobody → dd.mozilla
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Priority: -- → P3
Comment on attachment 8933735 [details] [diff] [review] bug_1414209_v1.patch Some comment about why this is needed would have been nice, but I looked at the method and the loop there.
Attachment #8933735 - Flags: review?(bugs) → review+
Pushed by firstname.lastname@example.org: https://hg.mozilla.org/integration/mozilla-inbound/rev/f28a10b116e0 Truncate as value after each link header. r=smaug
You need to log in before you can comment on or make changes to this bug.