Closed
Bug 1499064
Opened 6 years ago
Closed 5 years ago
Apply Meta CSP to new about:debugging
Categories
(Core :: DOM: Security, enhancement, P3)
Core
DOM: Security
Tracking
()
RESOLVED
DUPLICATE
of bug 1497197
People
(Reporter: jdescottes, Unassigned)
References
Details
(Whiteboard: [domsecurity-backlog1])
Attachments
(2 files, 2 obsolete files)
4.72 KB,
patch
|
Details | Diff | Splinter Review | |
8.45 KB,
text/plain
|
Details |
(In reply to Christoph Kerschbaumer [:ckerschb] from comment #4)
> (In reply to Julian Descottes [:jdescottes][:julian] from comment #3)
> > Looks good to me. We are planning to switch to a new about:debugging UI
> > soon. Do you want to apply the same fix to
> > devtools/client/aboutdebugging-new/index.html or should I log a separate
> > bug?
>
> We need a separate bug for that and remove the inline script, put and
> package it in an external file and load all of the JS [1] using a chrome:
> URL. Otherwise we would have to use 'unsafe-inline' in the CSP, and we are
> adding a CSP exactly to prevent inline script execution :-)
>
> [1]
> https://searchfox.org/mozilla-central/source/devtools/client/aboutdebugging-
> new/index.html#10-20
Reporter | ||
Updated•6 years ago
|
Assignee: nobody → jdescottes
Status: NEW → ASSIGNED
Updated•6 years ago
|
Priority: P3 → P1
Comment 1•6 years ago
|
||
Hey Julien,
JFYI: all of Bug 1492063 is blocked by Bug 965637. So in case you try to apply a CSP to a system privileged about page (like about:debuggin) the policy will be lost. The reason for that is that currently the CSP hangs off the Principal and the SystemPrincipal which is shared for all system privileged pages renders ::SetCSP() to a no-op. Hence we are moving the CSP from the Principal into the Client so we can apply CSP to system privileged pages.
Just in case you are wondering why the CSP is not enforced at the moment.
Reporter | ||
Comment 2•6 years ago
|
||
(In reply to Christoph Kerschbaumer [:ckerschb] from comment #1)
> Hey Julien,
>
> JFYI: all of Bug 1492063 is blocked by Bug 965637. So in case you try to
> apply a CSP to a system privileged about page (like about:debuggin) the
> policy will be lost. The reason for that is that currently the CSP hangs off
> the Principal and the SystemPrincipal which is shared for all system
> privileged pages renders ::SetCSP() to a no-op. Hence we are moving the CSP
> from the Principal into the Client so we can apply CSP to system privileged
> pages.
>
> Just in case you are wondering why the CSP is not enforced at the moment.
I suppose this means that all the DevTools issues we have around CSPs (especially https://bugzilla.mozilla.org/show_bug.cgi?id=1391994) will start applying to our about: pages as soon as you turn this on?
I hope we can get a resolution for 1391994 quickly then, otherwise it will make working on those pages harder than today.
Reporter | ||
Comment 3•6 years ago
|
||
Firefox keeps crashing if I add the meta to our index.html file.
I tried a bare index.html as follows:
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Security-Policy" content="default-src chrome: resource:" />
</head>
<body></body>
</html>
No CSS, no JS, still crashes. Seems to work if I switch to xhtml. Is XHTML required here?
Flags: needinfo?(ckerschb)
Comment 4•6 years ago
|
||
(In reply to Julian Descottes [:jdescottes][:julian] from comment #3)
> No CSS, no JS, still crashes. Seems to work if I switch to xhtml. Is XHTML
> required here?
Shouldn't make a difference if you use .html, .xhtml.
What's crashing? Got a stacktrace by any chance?
Flags: needinfo?(ckerschb) → needinfo?(jdescottes)
Reporter | ||
Comment 5•6 years ago
|
||
In DEBUG mode I get the following exception:
Assertion failure: parsedPolicyStr.Find("default-src") >= 0 (about: page must contain a CSP including default-src), at /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:5370
https://searchfox.org/mozilla-central/rev/c9272ef398954288525e37196eada1e5a93d93bf/dom/base/nsDocument.cpp#5366
Not sure why we are hitting this assert here?
Reporter | ||
Comment 7•6 years ago
|
||
(note if you want to try the patch you need to first enable the new about:debugging by setting `devtools.aboutdebugging.new-enabled` to true in about:config)
Reporter | ||
Comment 8•6 years ago
|
||
sorry wrong version of the patch ...
Attachment #9017432 -
Attachment is obsolete: true
Reporter | ||
Comment 9•6 years ago
|
||
Logs when I try to navigate to about:debugging
Reporter | ||
Updated•6 years ago
|
Assignee: jdescottes → nobody
No longer blocks: remote-debugging-ng-m1
Status: ASSIGNED → NEW
Priority: P1 → P3
Reporter | ||
Comment 10•6 years ago
|
||
This preparatory work will be necessary to enable CSP for the new about
debugging.
Updated•6 years ago
|
Attachment #9017514 -
Attachment is obsolete: true
Comment 11•5 years ago
|
||
In fact we can land both changes at the same time within Bug 1497197 by now.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•