Closed Bug 1417360 Opened 7 years ago Closed 7 years ago

Page CSP rules should be same when bookmarking a JS and pasting the JS into console

Categories

(Core :: DOM: Security, defect)

57 Branch
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 866522

People

(Reporter: u605759, Unassigned)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:57.0) Gecko/20100101 Firefox/57.0
Build ID: 20171112125346

Steps to reproduce:

(Similar to https://bugzilla.mozilla.org/show_bug.cgi?id=1267027, not the same)

Bookmarked
```
javascript:(window.location.href=window.location.href.replace("/0/","/1/"));
```
Went to https://mail.google.com/mail/u/0/#inbox
Opened the console
Clicked on the bookmark


Actual results:

Console:

Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src 'nonce-4ak7HyzvBrHe/F0+0N8Li7zJNm0' 'strict-dynamic' 'unsafe-eval' 'unsafe-inline' https:”).


Expected results:

Instead, if I paste the bookmark's javascript to console, it works.
```
window.location.href=window.location.href.replace("/0/","/1/")
"https://mail.google.com/mail/u/1/#inbox"
```
So, there should be no difference between running the JS in the console, and running the JS as a bookmark.
Summary, pasting `window.location.href=window.location.href.replace("/0/","/1/")` into bookmark link does not work while pasting and running the same script in console works.
Component: Untriaged → DOM: Security
Product: Firefox → Core
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.