Closed Bug 1468988 Opened 7 years ago Closed 7 years ago

Cannot load svg file on https://firefox-source-docs.mozilla.org because of Content Security Policy

Categories

(Developer Infrastructure :: Source Documentation, enhancement)

Product:
Developer Infrastructure
Component:
Source Documentation
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: jlorenzo, Unassigned)

References

Details

In bug 1468751, we made sure SVGs were uploaded on https://firefox-source-docs.mozilla.org/. However, even though the file now exists[1], this page[2] doesn't show the SVG. The reason claimed in the console: > Content Security Policy: The page’s settings blocked the loading of a resource at https://firefox-source-docs.mozilla.org/_images/pushapk.svg (“img-src”). I'm unsure what configuration should be changed. It seems to be server-side, but I'm unsure. [1] https://firefox-source-docs.mozilla.org/_images/pushapk.svg
`curl --location -I https://firefox-source-docs.mozilla.org/_images/pushapk.svg` returns: > HTTP/2 200 > content-type: image/svg+xml > content-length: 112028 > content-security-policy: default-src 'none'; connect-src 'self'; font-src 'self' https://fonts.gstatic.com; img-src data:; script-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com > date: Fri, 15 Jun 2018 16:22:14 GMT > etag: "9bfd6802211eddd24dd652bf56ef9584" > last-modified: Fri, 15 Jun 2018 09:58:33 GMT > referrer-policy: origin > server: AmazonS3 > strict-transport-security: max-age=63072000; includeSubDomains; always > x-content-type-options: nosniff > x-frame-options: DENY > x-xss-protection: 1; mode=block > x-cache: Miss from cloudfront > via: 1.1 0576b942ae9f4fc9c0b62b0736e9bfd6.cloudfront.net (CloudFront) > x-amz-cf-id: A-QX-v8Bya0-ctfpRLbnbg9MHPILje4XcozD-IBmmwSr02H2b0v-dg== In which, the interesting part is (formatted): > content-security-policy: > default-src 'none'; > connect-src 'self'; > font-src 'self' https://fonts.gstatic.com; > img-src data:; > script-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com; > style-src 'self' 'unsafe-inline' https://fonts.googleapis.com Per [1], we should change img-src to: > img-src data: https://firefox-source-docs.mozilla.org/; I don't have access to the configuration of the S3 bucket. :gps, I was told you might be the right contact. If not, would you know who'd be the point person? [1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src
Flags: needinfo?(gps)
Dustin set us up the S3 bucket and is the best person to make this change.
Flags: needinfo?(gps) → needinfo?(dustin)
Component: General → Generated Documentation
Product: Developer Documentation → Firefox Build System
Lambda function updated and deployed.
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(dustin)
Resolution: --- → FIXED
https://firefox-source-docs.mozilla.org/taskcluster/docs/taskcluster/pushapk.html now shows the image. Thank you!
Status: RESOLVED → VERIFIED
Product: Firefox Build System → Developer Infrastructure
You need to log in before you can comment on or make changes to this bug.