Closed
Bug 1414209
Opened 7 years ago
Closed 7 years ago
Content Security Policy confused by order of preload Link headers
Categories
(Core :: DOM: Security, defect, P3)
Tracking
()
RESOLVED
FIXED
mozilla59
Tracking | Status | |
---|---|---|
firefox59 | --- | fixed |
People
(Reporter: sjon, Assigned: dragana)
Details
(Whiteboard: [domsecurity-active])
Attachments
(1 file)
744 bytes,
patch
|
smaug
:
review+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:56.0) Gecko/20100101 Firefox/56.0 Build ID: 20171027085204 Steps to reproduce: When multiple Link headers (or possibly multiple values in a single header) are present - the CSP handler gets confused and incorrectly blocks the preload. This reproduces it in PHP: header("Content-Security-Policy: script-src 'self' cdn.jsdelivr.net; style-src 'self';"); // this fails incorrectly header("Link: </s/c.css>; rel=preload; as=style, </s/c.js>; rel=preload; as=script, <https://cdn.jsdelivr.net/gh/ajaxorg/ace-builds@1.2.8/src-min-noconflict/worker-php.js>; rel=preload; as=script"); // this has the same values in a different order - and works // header("Link: </s/c.js>; rel=preload; as=script, </s/c.css>; rel=preload; as=style, <https://cdn.jsdelivr.net/gh/ajaxorg/ace-builds@1.2.8/src-min-noconflict/worker-php.js>; rel=preload; as=script"); Actual results: Content Security Policy: The page’s settings blocked the loading of a resource at https://cdn.jsdelivr.net/gh/ajaxorg/ace-builds@1.2.8/src-min-noconflict/worker-php.js (“style-src http://site.com”). Expected results: no error
Updated•7 years ago
|
Component: Untriaged → DOM: Security
Product: Firefox → Core
Comment 1•7 years ago
|
||
Dragana: This feels like it's broken in the link header processing of the "as=" bits -- is that something you're working on, or if not do you know who it would be?
Flags: needinfo?(dd.mozilla)
Assignee | ||
Comment 2•7 years ago
|
||
I can take a look. preload is currently disabled. but it would be good to fix this.
Assignee: nobody → dd.mozilla
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Flags: needinfo?(dd.mozilla)
Updated•7 years ago
|
Priority: -- → P3
Whiteboard: [domsecurity-active]
Assignee | ||
Comment 3•7 years ago
|
||
Attachment #8933735 -
Flags: review?(bugs)
Comment 4•7 years ago
|
||
Comment on attachment 8933735 [details] [diff] [review] bug_1414209_v1.patch Some comment about why this is needed would have been nice, but I looked at the method and the loop there.
Attachment #8933735 -
Flags: review?(bugs) → review+
Pushed by dd.mozilla@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/f28a10b116e0 Truncate as value after each link header. r=smaug
Comment 6•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/f28a10b116e0
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox59:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
You need to log in
before you can comment on or make changes to this bug.
Description
•