Add carveout for NullPrincipal when asserting if explicit CSP and CSP on Principal are equal

RESOLVED FIXED in Firefox 68

Status

()

defect
P1
normal
RESOLVED FIXED
2 months ago
Last month

People

(Reporter: ckerschb, Assigned: ckerschb)

Tracking

unspecified
mozilla68
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox68 fixed)

Details

(Whiteboard: [domsecurity-active])

Attachments

(2 attachments)

Using a clean profile do:

  • Navigate to data:application/json,["visit%20http://mozilla.org"]
  • It should open the JSON Viewer, with a mozilla.org link, click on it

Assertion in nsDocshell fires exhibiting that the explicit CSP and the CSP on the triggeringPrincipal are not equal.

Assignee

Updated

2 months ago
Assignee: nobody → ckerschb
Status: NEW → ASSIGNED
Priority: -- → P1
Whiteboard: [domsecurity-active]

Jonathan, Gijs, I found the problem why the assertion in nsDoShell is firing, but I am not sure if it's worth landing my patch given that we are so close to land Bug 965637 (which is ready for review today). Probably we might open a can of worms.

In detail:
We have not been serializing the CSP within the Principal for NullPrincipals. Please note that we have never been doing that and the problem disappears after Bug 965637, which would remove all the code we would add within this patch.

I think it might be the better solution to add a carveout to the assertion within nsDocshell and just do not assert for NullPrincipals so the update within Bug 1540069 can land.

What do you think?

Flags: needinfo?(jkt)
Flags: needinfo?(gijskruitbosch+bugs)

Comment 2

2 months ago

Assuming bug 965637 lands soon that wfm.

Flags: needinfo?(gijskruitbosch+bugs)
Assignee

Updated

2 months ago
Summary: Missing callsite in frontend code does not explicitly pass a CSP → Add carveout for NullPrincipal when asserting if explicit CSP and CSP on Principal are equal

Comment 4

2 months ago
Pushed by mozilla@christophkerschbaumer.com:
https://hg.mozilla.org/integration/autoland/rev/7a36097057bd
Add carveout for NullPrincipal when asserting if explicit CSP and CSP on Principal are equal. r=Gijs

Comment 5

2 months ago
bugherder
Status: ASSIGNED → RESOLVED
Closed: 2 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
Regressions: 1547957

Clearing ni. We agreed over slack.

Flags: needinfo?(jkt)
You need to log in before you can comment on or make changes to this bug.