Closed Bug 1437009 Opened 7 years ago Closed 6 years ago

CSP is not propagated to the TriggeringPrincipal for right-click new tab,ctrl-click new tab, drag & drop new tab cases

Categories

(Core :: DOM: Security, defect, P3)

Product:
Core
Component:
DOM: Security
Version:
60 Branch
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1515863

People

(Reporter: vinoth, Unassigned)

References

Details

(Whiteboard: [domsecurity-backlog1])

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:60.0) Gecko/20100101 Firefox/60.0 Build ID: 20180206100151 Steps to reproduce: 1. click the link https://www.halesworth.net/links/list_two.php?code=3 2. Find the link in the list with the name "Walpole Chapel". 3. Normal click on the link from [2] will throw "Your connection is not secure" and the page will not be loaded. Because of the "upgrade-insecure-reqeusts" CSP from [1] 4. Opening the link using Right-Click new tab or ctrl-click new tab or drag-and-drop new tab will load the page without any "Your connection is not secure" error. Actual results: Summary of actual result: * right-click secure link to force top-level navigation * the initial load is secure link * the requests hits a 30x redirect to navigate to insecure cross-origin page This is because the CSP is not propagated to the TriggeringPrincipal for these scenarios. CSP object is null in the below line of code, https://dxr.mozilla.org/mozilla-central/source/docshell/base/nsDocShell.cpp#10753 Expected results: Expected Result: Link should be blocked from loading for all these scenarios because of the "upgrade-insecure-reqeusts" CSP. CSP should be propagated to the Principal for all these scenarios.
Blocks: 1422284
Component: Untriaged → DOM: Security
Product: Firefox → Core
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]
Restrict Comments: true

The original testcase here doesn't work anymore because the links have been changed in markup. However, I believe this bug was fixed in 66 and later by bug 1515863. Vinoth / Christoph, can you confirm?

Flags: needinfo?(ckerschb)
Flags: needinfo?(cegvinoth)

(the dupes that use inline JS still open tabs but the JS doesn't run, which seems reasonable behavior)

(In reply to :Gijs (he/him) from comment #4)

The original testcase here doesn't work anymore because the links have been changed in markup. However, I believe this bug was fixed in 66 and later by bug 1515863. Vinoth / Christoph, can you confirm?

Yes, I can confirm that Bug 1515863 fixed that problem. Marking this bug as a duplicate of 1515863.

Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Flags: needinfo?(ckerschb)
Flags: needinfo?(cegvinoth)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.