Closed Bug 1498060 Opened 3 years ago Closed 3 years ago
Saving to pocket triggers fatal assertion: about: page must contain a CSP including default-src
fixes bug 1498060 - Saving to pocket triggers fatal assertion: about: page must contain a CSP including default-src
46 bytes, text/x-phabricator-request
|Details | Review|
STR: (1) Load a build with debug assertions enabled (2) Navigate to an article (3) Click the pocket icon in the menu bar Assertion failure: parsedPolicyStr.Find("default-src") >= 0 (about: page must contain a CSP including default-src), at /files/mozilla/mc/q/dom/base/nsDocument.cpp:5368
I'll look into that right away actually!
Assignee: nobody → ckerschb
Status: NEW → ASSIGNED
Priority: -- → P2
The about page in question is: > about:pocket-signup?pockethost=getpocket.com&fxasignedin=0&variant=storyboard_lm&controlvariant=true&inoverflowmenu=false&locale=en-us&panelid=3 which gets generated here: https://searchfox.org/mozilla-central/source/browser/components/pocket/content/main.js#186 We have two options: (a) we can somehow add a CSP to about:pocket-signup, (b) we can whitelist about:pocket-signup in all.js (which is what we do for some other special about pages) to not trigger the assertion. If we can we should try to do (a); I would imagine we would add the meta CSP somewhere within this file: https://searchfox.org/mozilla-central/source/browser/components/pocket/content/panels/tmpl/signupstoryboard_shell.handlebars Please note, that any meta CSP added outside the <head> tags will be ignored by our HTML parser. So I guess, the question is, if we can add those tags and if that is really what we should try to do here. Jared, Justin, blame tells me did a lot of work on pocket/content/main.js. What do you think is the best option?
I believe Scott will be helping out from the Pocket side so redirecting to him.
Flags: needinfo?(jaws) → needinfo?(sdowne)
Yeah I can help out where needed, not quite sure what's needed of me yet though :)
Hey Scott, please take a look at comment 3 for more information. In summary, we would like to add a strong CSP to all about: pages. It seems that various about: URIs within pocket  like e.g. about:pocket-signup, about:pocket, ... do not load with a meta CSP applied. Question is, how do we add CSPs to those pages? E.g. can we just make changes to e.g.  or does it take more than that? Ideally we would like to add a meta CSP which would look something like the following (having a default-src defined and not allowing unsafe-inline to avoid script injection attacks): > <head> > <meta http-equiv="Content-Security-Policy" content="default-src chrome:" /> > </head>  https://searchfox.org/mozilla-central/source/browser/components/pocket/content/main.js#  https://searchfox.org/mozilla-central/source/browser/components/pocket/content/panels/tmpl/signupstoryboard_shell.handlebars
I tested the above attachment with success. I don't see a reason to not do it? I'm curious when you need this on release by, example, can it ride the fx 65 train?
(In reply to Scott [:thecount] Downe from comment #7) > I tested the above attachment with success. I don't see a reason to not do > it? Great, thanks! I assigned the bug to you :-) > I'm curious when you need this on release by, example, can it ride the fx 65 > train? Yeah, if that works, it can just ride the trains. I just r+ it in phabricator! Thank you!
Assignee: ckerschb → sdowne
Pushed by email@example.com: https://hg.mozilla.org/integration/autoland/rev/fa9318d1cd17 fixes bug 1498060 - Saving to pocket triggers fatal assertion: about: page must contain a CSP including default-src r=ckerschb
You need to log in before you can comment on or make changes to this bug.