Closed Bug 1499064 Opened 6 years ago Closed 5 years ago

Apply Meta CSP to new about:debugging

Categories

(Core :: DOM: Security, enhancement, P3)

Product:
Core
Component:
DOM: Security
Type:
enhancement

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1497197

People

(Reporter: jdescottes, Unassigned)

References

Details

(Whiteboard: [domsecurity-backlog1])

Attachments

(2 files, 2 obsolete files)

wip-csp-new-aboutdebugging.patch
4.72 KB, patch
Details | Diff | Splinter Review
logs.txt
8.45 KB, text/plain
Details
(In reply to Christoph Kerschbaumer [:ckerschb] from comment #4) > (In reply to Julian Descottes [:jdescottes][:julian] from comment #3) > > Looks good to me. We are planning to switch to a new about:debugging UI > > soon. Do you want to apply the same fix to > > devtools/client/aboutdebugging-new/index.html or should I log a separate > > bug? > > We need a separate bug for that and remove the inline script, put and > package it in an external file and load all of the JS [1] using a chrome: > URL. Otherwise we would have to use 'unsafe-inline' in the CSP, and we are > adding a CSP exactly to prevent inline script execution :-) > > [1] > https://searchfox.org/mozilla-central/source/devtools/client/aboutdebugging- > new/index.html#10-20
Assignee: nobody → jdescottes
Status: NEW → ASSIGNED
Priority: P3 → P1
Hey Julien, JFYI: all of Bug 1492063 is blocked by Bug 965637. So in case you try to apply a CSP to a system privileged about page (like about:debuggin) the policy will be lost. The reason for that is that currently the CSP hangs off the Principal and the SystemPrincipal which is shared for all system privileged pages renders ::SetCSP() to a no-op. Hence we are moving the CSP from the Principal into the Client so we can apply CSP to system privileged pages. Just in case you are wondering why the CSP is not enforced at the moment.
(In reply to Christoph Kerschbaumer [:ckerschb] from comment #1) > Hey Julien, > > JFYI: all of Bug 1492063 is blocked by Bug 965637. So in case you try to > apply a CSP to a system privileged about page (like about:debuggin) the > policy will be lost. The reason for that is that currently the CSP hangs off > the Principal and the SystemPrincipal which is shared for all system > privileged pages renders ::SetCSP() to a no-op. Hence we are moving the CSP > from the Principal into the Client so we can apply CSP to system privileged > pages. > > Just in case you are wondering why the CSP is not enforced at the moment. I suppose this means that all the DevTools issues we have around CSPs (especially https://bugzilla.mozilla.org/show_bug.cgi?id=1391994) will start applying to our about: pages as soon as you turn this on? I hope we can get a resolution for 1391994 quickly then, otherwise it will make working on those pages harder than today.
Firefox keeps crashing if I add the meta to our index.html file. I tried a bare index.html as follows: <!DOCTYPE html> <html> <head> <meta http-equiv="Content-Security-Policy" content="default-src chrome: resource:" /> </head> <body></body> </html> No CSS, no JS, still crashes. Seems to work if I switch to xhtml. Is XHTML required here?
Flags: needinfo?(ckerschb)
(In reply to Julian Descottes [:jdescottes][:julian] from comment #3) > No CSS, no JS, still crashes. Seems to work if I switch to xhtml. Is XHTML > required here? Shouldn't make a difference if you use .html, .xhtml. What's crashing? Got a stacktrace by any chance?
Flags: needinfo?(ckerschb) → needinfo?(jdescottes)
In DEBUG mode I get the following exception: Assertion failure: parsedPolicyStr.Find("default-src") >= 0 (about: page must contain a CSP including default-src), at /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:5370 https://searchfox.org/mozilla-central/rev/c9272ef398954288525e37196eada1e5a93d93bf/dom/base/nsDocument.cpp#5366 Not sure why we are hitting this assert here?
Attached patch wip-csp-new-aboutdebugging.patch (obsolete) — Splinter Review
wip patch that crashes
Flags: needinfo?(jdescottes)
(note if you want to try the patch you need to first enable the new about:debugging by setting `devtools.aboutdebugging.new-enabled` to true in about:config)
sorry wrong version of the patch ...
Attachment #9017432 - Attachment is obsolete: true
Attached file logs.txt
Logs when I try to navigate to about:debugging
Depends on: 1499355
Depends on: 1499357
Assignee: jdescottes → nobody
No longer blocks: remote-debugging-ng-m1
Status: ASSIGNED → NEW
Priority: P1 → P3
This preparatory work will be necessary to enable CSP for the new about debugging.
Attachment #9017514 - Attachment is obsolete: true

In fact we can land both changes at the same time within Bug 1497197 by now.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: