Closed Bug 1453933 Opened 2 years ago Closed 2 years ago

Apply Meta CSP to Content Privileged about:rights

Categories

(Core :: DOM: Security, defect, P2)

defect

Tracking

()

RESOLVED FIXED
mozilla61
Tracking Status
firefox61 --- fixed

People

(Reporter: vinoth, Assigned: vinoth)

References

(Depends on 1 open bug)

Details

(Whiteboard: [domsecurity-active])

Attachments

(1 file)

No description provided.
Attachment #8967697 - Flags: review?(ckerschb)
Comment on attachment 8967697 [details]
1453933 - Meta CSP applied to content privileged about:rights

Christoph Kerschbaumer [:ckerschb] has approved the revision.

https://phabricator.services.mozilla.com/D940
Attachment #8967697 - Flags: review+
Comment on attachment 8967697 [details]
1453933 - Meta CSP applied to content privileged about:rights

Already r+ed by me.
Attachment #8967697 - Flags: review?(ckerschb)
Status: NEW → ASSIGNED
Whiteboard: [domsecurity-active]
Comment on attachment 8967697 [details]
1453933 - Meta CSP applied to content privileged about:rights

Please review the patch for this bug.
Attachment #8967697 - Flags: review?(gijskruitbosch+bugs)
Comment on attachment 8967697 [details]
1453933 - Meta CSP applied to content privileged about:rights

Reviewed on phab.
Attachment #8967697 - Flags: review?(gijskruitbosch+bugs) → review-
Comment on attachment 8967697 [details]
1453933 - Meta CSP applied to content privileged about:rights

Flag set by Christoph Kerschbaumer [:ckerschb] is no longer active.

https://phabricator.services.mozilla.com/D940
Attachment #8967697 - Flags: review+
Comment on attachment 8967697 [details]
1453933 - Meta CSP applied to content privileged about:rights

Requested changes are made.
Please review the patch.
Attachment #8967697 - Flags: review- → review?(gijskruitbosch+bugs)
Comment on attachment 8967697 [details]
1453933 - Meta CSP applied to content privileged about:rights

Christoph Kerschbaumer [:ckerschb] has approved the revision.
:Gijs (he/him) has approved the revision.

https://phabricator.services.mozilla.com/D940
Attachment #8967697 - Flags: review+
Attachment #8967697 - Flags: review?(gijskruitbosch+bugs)
Keywords: checkin-needed
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/ba3c6122001c
Meta CSP applied to content privileged about:rights. r=Gijs, r=ckerschb
Keywords: checkin-needed
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/a825a8cf259a
Fix ESLint comma-spacing errors in aboutRights.js. r=trivial
https://hg.mozilla.org/mozilla-central/rev/ba3c6122001c
https://hg.mozilla.org/mozilla-central/rev/a825a8cf259a
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
When running the automated browser_aboutURLs.js test, there seem to be errors:

11:21:52     INFO - Console message: [JavaScript Error: "Content Security Policy: The page’s settings blocked the loading of a resource at inline (“default-src”)." {file: "about:rights" line: 0}]
11:21:52     INFO - Console message: [JavaScript Error: "Content Security Policy: The page’s settings blocked the loading of a resource at inline (“default-src”)." {file: "about:rights" line: 0}]
11:21:52     INFO - Console message: [JavaScript Error: "Content Security Policy: The page’s settings blocked the loading of a resource at inline (“default-src”)." {file: "about:rights" line: 0}]

can you check if we need a follow-up to fix these? Maybe some images or something else is being blocked that shouldn't be?

(cf. https://taskcluster-artifacts.net/DY0UY2JtRDuQIm-lMYn8UQ/0/public/logs/live_backing.log )
Flags: needinfo?(ckerschb)
(In reply to :Gijs (he/him) from comment #12)
> When running the automated browser_aboutURLs.js test, there seem to be
> errors:

Mhm, I couldn't reproduce any of these CSP errors locally. Did you have some other patches applied when you encountered those problems? Obviously if CSP is blocking something then we should figure out where and why. At the moment it seems fine to me. 

Is there anything else I might have to fiddle with so I can reproduce?
Flags: needinfo?(ckerschb) → needinfo?(gijskruitbosch+bugs)
(In reply to Christoph Kerschbaumer [:ckerschb] from comment #13)
> (In reply to :Gijs (he/him) from comment #12)
> > When running the automated browser_aboutURLs.js test, there seem to be
> > errors:
> 
> Mhm, I couldn't reproduce any of these CSP errors locally. Did you have some
> other patches applied when you encountered those problems? Obviously if CSP
> is blocking something then we should figure out where and why. At the moment
> it seems fine to me. 
> 
> Is there anything else I might have to fiddle with so I can reproduce?

I can reproduce on a nightly build (as distributed by moco) on Windows and Mac by just loading about:rights in a tab, but not on a local build on either of those platforms. I haven't worked out why yet.
Depends on: 1507226
Filed a follow-up for the warnings. It seems the branded copy of aboutRights has inline style, which the unbranded copy doesn't, which is probably one of the things that's tripping this.
Flags: needinfo?(gijskruitbosch+bugs)
You need to log in before you can comment on or make changes to this bug.