Closed Bug 1457513 Opened 3 years ago Closed 3 years ago

Don't lie about CSP header

Tracking

(firefox-esr52 unaffected, firefox-esr60 wontfix, firefox59 unaffected, firefox60 wontfix, firefox61 fixed)

Status:

RESOLVED FIXED

Milestone:

Firefox 61

Tracking Flags:

Tracking

Status

firefox-esr52

---

unaffected

firefox-esr60

---

wontfix

firefox59

---

unaffected

firefox60

---

wontfix

firefox61

---

fixed

People

(Reporter: Oriol, Assigned: Oriol)

Details

(Keywords: regression)

Attachments

(1 file)

Bug 1457513 - Let JSON Viewer display unmodified headers 3 years ago Oriol Brufau [:Oriol] 59 bytes, text/x-review-board-request	Honza : review+	Details

Oriol Brufau [:Oriol]

Assignee

Description

•

3 years ago

1. Load https://api.github.com/
2. Go to Headers tab

You can see this header:
  Content-Security-Policy:  default-src 'none' ; script-src resource:;

But the server sent this instead:
  Content-Security-Policy:  default-src 'none'

Regressed by https://hg.mozilla.org/mozilla-central/rev/38f15c3991f9

If the header needs to be modified, then this should happen after storing original headers.

Comment hidden (mozreview-request)

Review commit: https://reviewboard.mozilla.org/r/240424/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/240424/

Jan Honza Odvarko [:Honza] (always need-info? me)

Comment 2

•

3 years ago

mozreview-review

Comment on attachment 8971656 [details]
Bug 1457513 - Let JSON Viewer display unmodified headers

https://reviewboard.mozilla.org/r/240424/#review246378

Thanks for the patch & test, looks good to me!

R+ assuming try is green.

Honza

Attachment #8971656 - Flags: review?(odvarko) → review+

Oriol Brufau [:Oriol]

Assignee

Updated

•

3 years ago

Keywords: checkin-needed

Oriol Brufau [:Oriol]

Assignee

Updated

•

3 years ago

Assignee: nobody → oriol-bugzilla

Status: NEW → ASSIGNED

Pulsebot

Comment 3

•

3 years ago

Pushed by ncsoregi@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/2d72766be0b3
Let JSON Viewer display unmodified headers r=Honza

Keywords: checkin-needed

Arthur Iakab [arthur_iakab]

Comment 4

•

3 years ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/2d72766be0b3

Status: ASSIGNED → RESOLVED

Closed: 3 years ago

status-firefox61: affected → fixed

Resolution: --- → FIXED

Target Milestone: --- → Firefox 61

Ryan VanderMeulen [:RyanVM]

Updated

•

3 years ago

status-firefox-esr52: --- → unaffected

status-firefox-esr60: --- → unaffected

Oriol Brufau [:Oriol]

Assignee

Comment 5

•

3 years ago

esr60 seems affected, https://hg.mozilla.org/releases/mozilla-esr60/file/tip/devtools/client/jsonview/converter-child.js#l88

status-firefox-esr60: unaffected → affected

Ryan VanderMeulen [:RyanVM]

Comment 6

•

3 years ago

Too late for 60. I'm not convinced we need to uplift this to ESR60 either, but I'd entertain an argument.

status-firefox60: affected → wontfix

status-firefox-esr60: affected → fix-optional

Julien Cristau [:jcristau]

Comment 7

•

3 years ago

I'm with Ryan on this one.

status-firefox-esr60: fix-optional → wontfix

BMO Automation

Updated

•

3 years ago

Product: Firefox → DevTools

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Don't lie about CSP header

Categories

(DevTools :: JSON Viewer, defect)

Tracking

(firefox-esr52 unaffected, firefox-esr60 wontfix, firefox59 unaffected, firefox60 wontfix, firefox61 fixed)

People

(Reporter: Oriol, Assigned: Oriol)

References

Details

(Keywords: regression)

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Comment 1

Comment 2

Updated

Updated

Comment 3

Comment 4

Updated

Comment 5

Comment 6

Comment 7

Updated