Closed
Bug 1417360
Opened 7 years ago
Closed 7 years ago
Page CSP rules should be same when bookmarking a JS and pasting the JS into console
Categories
(Core :: DOM: Security, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 866522
People
(Reporter: u605759, Unassigned)
Details
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:57.0) Gecko/20100101 Firefox/57.0 Build ID: 20171112125346 Steps to reproduce: (Similar to https://bugzilla.mozilla.org/show_bug.cgi?id=1267027, not the same) Bookmarked ``` javascript:(window.location.href=window.location.href.replace("/0/","/1/")); ``` Went to https://mail.google.com/mail/u/0/#inbox Opened the console Clicked on the bookmark Actual results: Console: Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src 'nonce-4ak7HyzvBrHe/F0+0N8Li7zJNm0' 'strict-dynamic' 'unsafe-eval' 'unsafe-inline' https:”). Expected results: Instead, if I paste the bookmark's javascript to console, it works. ``` window.location.href=window.location.href.replace("/0/","/1/") "https://mail.google.com/mail/u/1/#inbox" ``` So, there should be no difference between running the JS in the console, and running the JS as a bookmark.
Summary, pasting `window.location.href=window.location.href.replace("/0/","/1/")` into bookmark link does not work while pasting and running the same script in console works.
Updated•7 years ago
|
Component: Untriaged → DOM: Security
Product: Firefox → Core
Updated•7 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•