CSP is not propagated to the TriggeringPrincipal for right-click new tab,ctrl-click new tab, drag & drop new tab cases

UNCONFIRMED
Unassigned

Status

()

Core
DOM: Security
P3
normal
UNCONFIRMED
14 days ago
11 days ago

People

(Reporter: vinoth, Unassigned)

Tracking

(Blocks: 1 bug)

60 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [domsecurity-backlog1])

(Reporter)

Description

14 days ago
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:60.0) Gecko/20100101 Firefox/60.0
Build ID: 20180206100151

Steps to reproduce:

1. click the link https://www.halesworth.net/links/list_two.php?code=3 
2. Find the link in the list with the name "Walpole Chapel". 
3. Normal click on the link from [2] will throw "Your connection is not secure" and the page will not be loaded. Because of the "upgrade-insecure-reqeusts" CSP from [1]
4. Opening the link using Right-Click new tab or ctrl-click new tab or drag-and-drop new tab will load the page without any "Your connection is not secure" error.


Actual results:

Summary of actual result: 
* right-click secure link to force top-level navigation
* the initial load is secure link
* the requests hits a 30x redirect to navigate to insecure cross-origin page

This is because the CSP is not propagated to the TriggeringPrincipal for these scenarios.
CSP object is null in the below line of code,
https://dxr.mozilla.org/mozilla-central/source/docshell/base/nsDocShell.cpp#10753


Expected results:

Expected Result:

Link should be blocked from loading for all these scenarios because of the "upgrade-insecure-reqeusts" CSP.

CSP should be propagated to the Principal for all these scenarios.
(Reporter)

Updated

14 days ago
Blocks: 1422284
Component: Untriaged → DOM: Security
Product: Firefox → Core
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]
You need to log in before you can comment on or make changes to this bug.