Closed Bug 1566734 Opened 4 months ago Closed 4 months ago

JSON Viewer fails with a CSP error when coming from about:telemetry

Categories

(DevTools :: JSON Viewer, defect, P1)

69 Branch
defect

Tracking

(firefox-esr60 unaffected, firefox-esr68 unaffected, firefox68 unaffected, firefox69 verified, firefox70 verified)

VERIFIED FIXED
Firefox 70
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- unaffected
firefox68 --- unaffected
firefox69 --- verified
firefox70 --- verified

People

(Reporter: janerik, Assigned: ckerschb)

References

(Regression)

Details

(Keywords: regression)

Attachments

(1 file)

When clicking "Raw JSON" on any ping data on about:telemetry it should open the contained JSON as a json document (via a data: URI), which then triggers the JSON viewer for nice displaying.
This fails.

What were you doing?

  1. Open about:telemetry
  2. Click "Raw JSON" in the lower left
  3. this opens a new tab with a data uri (data:application/json;base64,ewog...)

What happened?

It displays the JSON in plain text.

What should have happened?

It should have displayed the JSON in the rich JSON viewer.

Anything else we should know?

This in the console:

Loading failed for the <script> with source “resource://devtools-client-jsonview/lib/require.js”.
Content Security Policy: The page’s settings blocked the loading of a resource at resource://devtools-client-jsonview/lib/require.js (“default-src”).

I verified that the JSON in the data: URI is valid (base64-decoding it and pasting it into a JSON parser).
The data: uri works fine if copied from the URL bar and pasted into a new tab.
Here's the code where about:telemetry opens the new location.

This happens on Firefox Nightly 70.0a1, build id 20190716211651, macOS.

The JSON Viewer overrides the CSP to allow scripts from resource://, but it seems it's not working properly?
https://searchfox.org/mozilla-central/rev/22b330ecb3edba1536a54887060cbdd09db21c59/devtools/client/jsonview/converter-child.js#281-284

Regressed by: 1497213
Version: unspecified → 69 Branch

Christoph, anything we need to do in DevTools, or does this need follow up CSP work from bug 1497213?

Flags: needinfo?(ckerschb)

(In reply to :Harald Kirschner :digitarald from comment #2)

Christoph, anything we need to do in DevTools, or does this need follow up CSP work from bug 1497213?

Most likely we also have to open up the CSP to also allow resource: URIs to be loaded. I'll investigate and fix.

Assignee: nobody → ckerschb
Status: NEW → ASSIGNED
Flags: needinfo?(ckerschb)
Priority: -- → P1
Keywords: checkin-needed

Bug 1497213, which caused the regression landed for 69, so we probably want to uplift the fix within this patch.

Pushed by btara@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/cd8429ed9948
Update CSP for about:telemetry to include resource:.r=Gijs

Keywords: checkin-needed
Status: ASSIGNED → RESOLVED
Closed: 4 months ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 70

Comment on attachment 9079082 [details]
Bug 1566734: Update CSP for about:telemetry to include resource:.r=gijs

Beta/Release Uplift Approval Request

  • User impact if declined: Broken "Raw json" entry in about:telemetry
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: n/a
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Small change in CSP to restore functionality
  • String changes made/needed: none
Attachment #9079082 - Flags: approval-mozilla-beta?

(In reply to Oriol Brufau [:Oriol] from comment #1)

The JSON Viewer overrides the CSP to allow scripts from resource://, but it seems it's not working properly?

I'm still kind of curious about this. Christoph, can you explain why the JSON viewer's own CSP doesn't take precedence here?

Flags: needinfo?(ckerschb)

Comment on attachment 9079082 [details]
Bug 1566734: Update CSP for about:telemetry to include resource:.r=gijs

Minor CSP fix for about:telemetry. Approved for 69.0b7.

Attachment #9079082 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

(In reply to :Gijs (he/him) from comment #9)

(In reply to Oriol Brufau [:Oriol] from comment #1)

The JSON Viewer overrides the CSP to allow scripts from resource://, but it seems it's not working properly?

I'm still kind of curious about this. Christoph, can you explain why the JSON viewer's own CSP doesn't take precedence here?

The page about:telemetry shipped with a CSP of "default-src chrome:". Clicking the Raw JSON opens a new data: URI. Since data: URIs inherit the CSP of the opening context, the new data: URI has a CSP of 'default-src chrome:" plus whatever CSP is applied within the data: URI. Please note that the CSPs are merged together and any load must pass all the CSP checks. Put differently, if even only one policy denies the load, like in that case the load of "resource://devtools-client-jsonview/lib/require.js", then the load is blocked.

Flags: needinfo?(ckerschb)
Flags: qe-verify+
QA Whiteboard: [qa-triaged]

Issue confirmed with 70.0a1(2019-07-07).
Fix verified with 69.0b7, 70.0a1 (2019-07-22).

Status: RESOLVED → VERIFIED
Flags: qe-verify+
You need to log in before you can comment on or make changes to this bug.