Open Bug 1537685 Opened 5 years ago Updated 2 years ago

Add test that iterates all about: pages and ensure they all have a valid CSP

Categories

(Core :: DOM: Security, enhancement, P2)

Product:
Core
Component:
DOM: Security
Type:
enhancement

Tracking

()

People

(Reporter: ckerschb, Unassigned)

References

Details

(Whiteboard: [domsecurity-active])

Attachments

(1 obsolete file)

It seems it's possible that about pages can still ship without a CSP attached as illustrated within [1]. Maybe it's possible to add a test where we can iterate all about pages and ensure they all have a valid CSP.

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1449845#c15

Assignee: nobody → ckerschb
Blocks: 1449845
Status: NEW → ASSIGNED
Priority: -- → P2
Whiteboard: [domsecurity-active]
Assignee: ckerschb → streich.mobile
Depends on: 1492063

There's a r+ patch which didn't land and no activity in this bug for 2 weeks.
:sstreich, could you have a look please?
For more information, please visit auto_nag documentation.

Flags: needinfo?(streich.mobile)

Landing this bug is blocked on Bug 1492063 - once that has been resolved we can land the patch within this bug.

Flags: needinfo?(streich.mobile)

Basti, all about: pages are secured by a CSP (see https://bugzilla.mozilla.org/show_bug.cgi?id=1492063#c4) I think we can move forward with this bug now, though I remember you wanted to slightly rewrite it so it doesn't depend on xul right?

Flags: needinfo?(sstreich)

Rewrite is not needed atm, (i was assuming the XUL removal was meaning that .xul test would be rendered unusable, but that was false).
I've run the test quickly through try.
https://treeherder.mozilla.org/#/jobs?repo=try&selectedJob=270460474&revision=7eb48292e2fc5485b1d1ca9a760fc48046d60eb9
But it reports missing csp for:
TEST-UNEXPECTED-FAIL | about:credits - Has at Least 1 CSP Rule. Count: 0
TEST-UNEXPECTED-FAIL | about:logo - Has at Least 1 CSP Rule. Count: 0
TEST-UNEXPECTED-FAIL | about:sync-log - Has at Least 1 CSP Rule. Count: 0

I've already seen in the meta bug that i should probably whitelist - about:sync-log as in 1497212.
Can i assume the the other 2 are working the same way?

Flags: needinfo?(sstreich) → needinfo?(ckerschb)

(In reply to Sebastian Streich [:sstreich] from comment #5)

But it reports missing csp for:
TEST-UNEXPECTED-FAIL | about:credits - Has at Least 1 CSP Rule. Count: 0

Hm, that one is interesting. Not sure why that would be failing. Running about:credits in the browser itself works, but it loads the actual page from the web, so we need to figure out what we load in the test where we definitely not load things from the web. Probably we have some dummy page that we load, we should add a CSP there.

TEST-UNEXPECTED-FAIL | about:logo - Has at Least 1 CSP Rule. Count: 0

I filed Bug 1587417 to add about:logo to the allowlist because adding a CSP to it doesn't make sense.

TEST-UNEXPECTED-FAIL | about:sync-log - Has at Least 1 CSP Rule. Count: 0

That is in the allowlist, so you should probably greenlight in the test, see: https://searchfox.org/mozilla-central/source/dom/security/nsContentSecurityUtils.cpp#478

Flags: needinfo?(ckerschb)

Hm, that one is interesting. Not sure why that would be failing. Running about:credits in the browser itself works, but it loads the actual page from the web, so we need to figure out what we load in the test where we definitely not load things from the web. Probably we have some dummy page that we load, we should add a CSP there.

Just checked that, we're getting a 404 page from the test server, so i will just skip the page in the test. thanks for clarifying!

Assignee: sstreich → nobody
Status: ASSIGNED → NEW
Attachment #9072531 - Attachment is obsolete: true
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: