Closed Bug 1468988 Opened 4 years ago Closed 4 years ago

Cannot load svg file on https://firefox-source-docs.mozilla.org because of Content Security Policy

Categories

(Developer Infrastructure :: Source Documentation, enhancement)

enhancement
Not set
normal

Tracking

(Not tracked)

VERIFIED FIXED

People

(Reporter: jlorenzo, Unassigned)

References

Details

In bug 1468751, we made sure SVGs were uploaded on https://firefox-source-docs.mozilla.org/. However, even though the file now exists[1], this page[2] doesn't show the SVG. The reason claimed in the console:

> Content Security Policy: The page’s settings blocked the loading of a resource at https://firefox-source-docs.mozilla.org/_images/pushapk.svg (“img-src”).

I'm unsure what configuration should be changed. It seems to be server-side, but I'm unsure.

[1] https://firefox-source-docs.mozilla.org/_images/pushapk.svg
`curl --location -I https://firefox-source-docs.mozilla.org/_images/pushapk.svg` returns:

> HTTP/2 200 
> content-type: image/svg+xml
> content-length: 112028
> content-security-policy: default-src 'none'; connect-src 'self'; font-src 'self' https://fonts.gstatic.com; img-src data:; script-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com
> date: Fri, 15 Jun 2018 16:22:14 GMT
> etag: "9bfd6802211eddd24dd652bf56ef9584"
> last-modified: Fri, 15 Jun 2018 09:58:33 GMT
> referrer-policy: origin
> server: AmazonS3
> strict-transport-security: max-age=63072000; includeSubDomains; always
> x-content-type-options: nosniff
> x-frame-options: DENY
> x-xss-protection: 1; mode=block
> x-cache: Miss from cloudfront
> via: 1.1 0576b942ae9f4fc9c0b62b0736e9bfd6.cloudfront.net (CloudFront)
> x-amz-cf-id: A-QX-v8Bya0-ctfpRLbnbg9MHPILje4XcozD-IBmmwSr02H2b0v-dg==


In which, the interesting part is (formatted): 

> content-security-policy:
>   default-src 'none';
>   connect-src 'self';
>   font-src 'self' https://fonts.gstatic.com;
>   img-src data:;
>   script-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com;
>   style-src 'self' 'unsafe-inline' https://fonts.googleapis.com

Per [1], we should change img-src to:

>   img-src data: https://firefox-source-docs.mozilla.org/;

I don't have access to the configuration of the S3 bucket. :gps, I was told you might be the right contact. If not, would you know who'd be the point person? 

[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src
Flags: needinfo?(gps)
Dustin set us up the S3 bucket and is the best person to make this change.
Flags: needinfo?(gps) → needinfo?(dustin)
Component: General → Generated Documentation
Product: Developer Documentation → Firefox Build System
Lambda function updated and deployed.
Status: NEW → RESOLVED
Closed: 4 years ago
Flags: needinfo?(dustin)
Resolution: --- → FIXED
https://firefox-source-docs.mozilla.org/taskcluster/docs/taskcluster/pushapk.html now shows the image. Thank you!
Status: RESOLVED → VERIFIED
Product: Firefox Build System → Developer Infrastructure
You need to log in before you can comment on or make changes to this bug.