Closed Bug 1457513 Opened Last year Closed Last year

Don't lie about CSP header

Categories

(DevTools :: JSON Viewer, defect)

60 Branch
defect
Not set

Tracking

(firefox-esr52 unaffected, firefox-esr60 wontfix, firefox59 unaffected, firefox60 wontfix, firefox61 fixed)

RESOLVED FIXED
Firefox 61
Tracking Status
firefox-esr52 --- unaffected
firefox-esr60 --- wontfix
firefox59 --- unaffected
firefox60 --- wontfix
firefox61 --- fixed

People

(Reporter: Oriol, Assigned: Oriol)

Details

(Keywords: regression)

Attachments

(1 file)

1. Load https://api.github.com/
2. Go to Headers tab

You can see this header:
  Content-Security-Policy:  default-src 'none' ; script-src resource:;

But the server sent this instead:
  Content-Security-Policy:  default-src 'none'

Regressed by https://hg.mozilla.org/mozilla-central/rev/38f15c3991f9

If the header needs to be modified, then this should happen after storing original headers.
Comment on attachment 8971656 [details]
Bug 1457513 - Let JSON Viewer display unmodified headers

https://reviewboard.mozilla.org/r/240424/#review246378

Thanks for the patch & test, looks good to me!

R+ assuming try is green.

Honza
Attachment #8971656 - Flags: review?(odvarko) → review+
Keywords: checkin-needed
Assignee: nobody → oriol-bugzilla
Status: NEW → ASSIGNED
Pushed by ncsoregi@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/2d72766be0b3
Let JSON Viewer display unmodified headers r=Honza
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/2d72766be0b3
Status: ASSIGNED → RESOLVED
Closed: Last year
Resolution: --- → FIXED
Target Milestone: --- → Firefox 61
Too late for 60. I'm not convinced we need to uplift this to ESR60 either, but I'd entertain an argument.
I'm with Ryan on this one.
Product: Firefox → DevTools
You need to log in before you can comment on or make changes to this bug.