Closed
Bug 1503871
Opened 6 years ago
Closed 6 years ago
SVGs not rendered for buttons/icons, making those elements invisible
Categories
(DevTools :: Debugger, defect)
DevTools
Debugger
Tracking
(firefox-esr60 unaffected, firefox63 unaffected, firefox64 unaffected, firefox65+ verified)
VERIFIED
FIXED
Firefox 65
Tracking | Status | |
---|---|---|
firefox-esr60 | --- | unaffected |
firefox63 | --- | unaffected |
firefox64 | --- | unaffected |
firefox65 | + | verified |
People
(Reporter: Harald, Assigned: bradwerth)
References
Details
(Keywords: regression)
Attachments
(3 files, 1 obsolete file)
65.0a1 (2018-11-01) (64-bit) STR: Open Debugger Step & pause buttons are invisible but hoverable for tooltips.
Comment 1•6 years ago
|
||
It looks like these commits introduced the issue 0a08088df7b5 Bug 1501503 Part 2: Test that CORS rejection messages are output for loads triggered from styles. r=ckerschb a4d0a122a3d1 Bug 1501503: Report cross-origin load failures in more cases. r=ckerschb
Comment 2•6 years ago
|
||
Reporter | ||
Updated•6 years ago
|
Summary: Invisible pause/step buttons → SVGs not rendered for buttons/icons, making those elements invisible
Updated•6 years ago
|
Severity: normal → blocker
Assignee | ||
Comment 4•6 years ago
|
||
Assignee | ||
Updated•6 years ago
|
Assignee: nobody → bwerth
Comment 5•6 years ago
|
||
Regressed in https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=7fac836796900045b621a258719127c0805fe4db&tochange=e79a4c8e28669b9a9e15a01535fb80adff870f10
Comment 6•6 years ago
|
||
(In reply to Brad Werth [:bradwerth] from comment #4) > Created attachment 9021895 [details] > Bug 1503871: Make CORS checks trivally pass through a SystemPrincipal as the > loading principal. r?ckerschb! Hey Brad, what is the console warning in that particular case? Looking at your patch I am quite curious when it would ever be the case that the triggeringPrincipal is not a systemPrincipal but the loadingPrincipal is.
Flags: needinfo?(bwerth)
Comment 7•6 years ago
|
||
An example error log looks like:
> Security Error: Content at resource://devtools/client/debugger/new/dist/debugger.css may not load or link to chrome://devtools/skin/images/debugger/close.svg.
Which sounds to me like devtools/client/debugger/new/dist/debugger.css isn't getting the system principal it needs to load that.
Changing this code to permit loads into system principal documents seems like it will cause security regressions though. Do the mask's need to be chrome:// ?
Assignee | ||
Comment 8•6 years ago
|
||
(In reply to Christoph Kerschbaumer [:ckerschb] from comment #6) > Hey Brad, what is the console warning in that particular case? Looking at > your patch I am quite curious when it would ever be the case that the > triggeringPrincipal is not a systemPrincipal but the loadingPrincipal is. The first error I get is from a path where this URL is attempting to be loaded with CORS anonymous headers (presumably because of a mask-image): "file:///Users/brad/repos/obj-stylo/dist/NightlyDebug.app/Contents/Resources/browser/chrome/devtools/skin/images/devtools-components/arrow.svg" In that case, the loading principal is a/the System Principal, and the triggering principal is a ContentPrincipal with the codebase URL "resource://devtools/client/debugger/new/dist/debugger.css" That triggers a CheckLoadURIError, which reads: Security Error: Content at resource://devtools/client/debugger/new/dist/debugger.css may not load or link to chrome://devtools/skin/images/devtools-components/arrow.svg. So, it appears we can have cases where the loading principal is a System Principal and the triggering principal is not, which is why my proposed patch makes a difference in this case.
Flags: needinfo?(bwerth)
Assignee | ||
Comment 10•6 years ago
|
||
(In reply to Jonathan Kingston [:jkt] from comment #7) > Changing this code to permit loads into system principal documents seems > like it will cause security regressions though. Do the mask's need to be > chrome:// ? The uses in debugger.css[1][2] both seem to use chrome protocol URLs already. [1][https://searchfox.org/mozilla-central/rev/7c848ac7630df5baf1314b0c03e015683599efb9/devtools/client/debugger/new/dist/debugger.css#341] [2][https://searchfox.org/mozilla-central/rev/7c848ac7630df5baf1314b0c03e015683599efb9/devtools/client/debugger/new/dist/debugger.css#1099]
Comment 11•6 years ago
|
||
(In reply to Brad Werth [:bradwerth] from comment #8) > So, it appears we can have cases where the loading principal is a System > Principal and the triggering principal is not, which is why my proposed > patch makes a difference in this case. As explained in the phab, that change looks to risky and like a potential footgun to me. We need to find something else. I guess what Jonathan was proposing sounds like a plausible path forward - if we can load both the css and svg using resource: URIs the problem should disappear.
Updated•6 years ago
|
Attachment #9021895 -
Attachment is obsolete: true
Assignee | ||
Comment 12•6 years ago
|
||
Assignee | ||
Comment 13•6 years ago
|
||
(In reply to Christoph Kerschbaumer [:ckerschb] from comment #11) > As explained in the phab, that change looks to risky and like a potential > footgun to me. We need to find something else. I guess what Jonathan was > proposing sounds like a plausible path forward - if we can load both the css > and svg using resource: URIs the problem should disappear. Understood. Attachment 9023072 [details] switches all of the URLs to use resource:// schemes. This avoids the security errors, but the images still do not appear for a reason I have yet to determine. Stepping through the security check code in all the places where I can think to check, the loads appear to be successful. So this patch may be part of the solution, but it's not the whole solution.
Assignee | ||
Comment 14•6 years ago
|
||
(In reply to Jonathan Kingston [:jkt] from comment #7) > An example error log looks like: > > > Security Error: Content at resource://devtools/client/debugger/new/dist/debugger.css may not load or link to chrome://devtools/skin/images/debugger/close.svg. > > Which sounds to me like devtools/client/debugger/new/dist/debugger.css isn't > getting the system principal it needs to load that. Agreed. The System Principal loads debugger.css, and then when the "mask:" declaration in there is resolved, it's loaded by a content principal for debugger.css, which doesn't have sufficient permissions to load the content into the document. Changing this would require the URLExtraData for the SVG element to be created earlier than MappedAttrParser::ParseMappedAttrValue, when it still has access to the triggering principal used when debugger.css was loaded. Hard to do. I'll continue to see if I can make the change to "resource://" URLs work, because it will not be easy to change the principal at the time the SVGs are loaded.
Comment 16•6 years ago
|
||
(In reply to Brad Werth [:bradwerth] from comment #14) > (In reply to Jonathan Kingston [:jkt] from comment #7) > > An example error log looks like: > > > > > Security Error: Content at resource://devtools/client/debugger/new/dist/debugger.css may not load or link to chrome://devtools/skin/images/debugger/close.svg. > > > > Which sounds to me like devtools/client/debugger/new/dist/debugger.css isn't > > getting the system principal it needs to load that. > > Agreed. The System Principal loads debugger.css, and then when the "mask:" > declaration in there is resolved, it's loaded by a content principal for > debugger.css, which doesn't have sufficient permissions to load the content > into the document. Changing this would require the URLExtraData for the SVG > element to be created earlier than MappedAttrParser::ParseMappedAttrValue, > when it still has access to the triggering principal used when debugger.css > was loaded. Hard to do. > > I'll continue to see if I can make the change to "resource://" URLs work, > because it will not be easy to change the principal at the time the SVGs are > loaded. I tried to migrate everything CSS from chrome:// to resource:// in the past: Bug 1311541. It stalled because we were unsure about performance and it was no longer needed at some point, but the patches were working so you can look at them as a reference. It looks like you at least need to: - add the svgs to the relevant moz.build so that they can be accessible via resource:// - remove them from jar.mn - change paths from `chrome://devtools/skin/images/` to `resource://devtools/client/themes/images/`
Updated•6 years ago
|
tracking-firefox65:
--- → ?
Assignee | ||
Comment 17•6 years ago
|
||
Jason tells me he's built a fix. Taking myself off the bug so he can land patches.
Assignee: bwerth → nobody
Flags: needinfo?(jlaster)
Comment 18•6 years ago
|
||
Pushed by jlaster@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/50586a989dc4 Change all of the debugger.css SVG mask URLs to use resource scheme. r=bradwerth
Updated•6 years ago
|
Flags: needinfo?(jlaster)
Comment 19•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/50586a989dc4
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 65
Updated•6 years ago
|
Assignee: nobody → bwerth
Updated•6 years ago
|
Updated•5 years ago
|
Flags: qe-verify+
Comment 20•5 years ago
•
|
||
Confirmed issue with ffx 65.0a1(20181101220058) on Windows10.
Fix verified with 65.0b12 on Windows 10, macOS 10.11, Ubuntu18.04.
You need to log in
before you can comment on or make changes to this bug.
Description
•