Closed Bug 1571323 Opened 5 years ago Closed 5 years ago

Interactive tasks don't work because of CSP errors in latest Firefox nightly

Categories

(Taskcluster :: UI, defect)

Product:
Taskcluster
Component:
UI
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: glandium, Unassigned)

References

Details

This is what I see in the browser console when opening an interactive task:

Content Security Policy: ページの設定により次のリソースの読み込みをブロックしました: wss://elkk6oyaaaawyx6q7qyxvveee5pautjxrgv3bhgww5abc5en.taskcluster-worker.net:49559/3QuSn8i4S9Clc7SpPVpwdA/shell.sock?tty=true&command=sh&command=-c&command=if%20%5B%20-f%20%22%2Fetc%2Ftaskcluster-motd%22%20%5D%3B%20then%20cat%20%2Fetc%2Ftaskcluster-motd%3B%20fi%3Bif%20%5B%20-z%20%22%24TERM%22%20%5D%3B%20then%20export%20TERM%3Dxterm%3B%20fi%3Bif%20%5B%20-z%20%22%24HOME%22%20%5D%3B%20then%20export%20HOME%3D%2Froot%3B%20fi%3Bif%20%5B%20-z%20%22%24USER%22%20%5D%3B%20then%20export%20USER%3Droot%3B%20fi%3Bif%20%5B%20-z%20%22%24LOGNAME%22%20%5D%3B%20then%20export%20LOGNAME%3Droot%3B%20fi%3Bif%20%5B%20-z%20%60which%20%22%24SHELL%22%60%20%5D%3B%20then%20export%20SHELL%3Dbash%3B%20fi%3Bif%20%5B%20-z%20%60which%20%22%24SHELL%22%60%20%5D%3B%20then%20export%20SHELL%3Dsh%3B%20fi%3Bif%20%5B%20-z%20%60which%20%22%24SHELL%22%60%20%5D%3B%20then%20export%20SHELL%3D%22%2F.taskclusterutils%2Fbusybox%20sh%22%3B%20fi%3BSPAWN%3D%22%24SHELL%22%3Bif%20%5B%20%22%24SHELL%22%20%3D%20%22bash%22%20%5D%3B%20then%20SPAWN%3D%22bash%20-li%22%3B%20fi%3Bif%20%5B%20-f%20%22%2Fbin%2Ftaskcluster-interactive-shell%22%20%5D%3B%20then%20SPAWN%3D%22%2Fbin%2Ftaskcluster-interactive-shell%22%3B%20fi%3Bexec%20%24SPAWN%3B (“connect-src”) client.js:75

The japanese text says the page settings block reading the resources at the url that follows.

Nothing has changed in the tools site or with docker-worker, and that's a stateless DNS URL like those we've been using for millennia. To my knowledge, docker-worker doesn't have a CSP.

Are you using a nightly Firefox by chance? ETP?

Component: General → UI and Tools

Latest nightly. ETP set to "standard"

Try again with release?

Interesting. It does work with release.

Summary: Interactive tasks don't work because of CSP errors → Interactive tasks don't work because of CSP errors in latest Firefox nightly

(In reply to Mike Hommey [:glandium] from comment #4)

Interesting. It does work with release.

jkt, do you know of anything that might have changed in this area on Nightly?

Flags: needinfo?(jkt)

I couldn't get the shell to work for me (I couldn't find the button to click on). Do these pages load into an about page? We have progressively been adding CSP to those: https://bugzilla.mozilla.org/show_bug.cgi?id=1492063

We also have changed the serialization format of CSP and moved it from the principal to loadInfo amongst other smaller changes.

So I got it working in the end and can replicate.

For reference I see the following policy:

Content-Security-Policy: default-src 'none'; connect-src 'self' https: wss://*; media-src data:; script-src 'self' 'unsafe-eval' https:; font-src 'self' data:; img-src 'self' https: data:; style-src https: 'unsafe-inline'; object-src 'none'; frame-ancestors 'self'; frame-src 'self' https://auth.mozilla.auth0.com; base-uri 'none'; form-action 'none'

I'm not actually even sure if we should be blocking this URL anyway: https://github.com/w3c/webappsec-csp/issues/332

Are we sure this is actually being blocked and the error isn't a misnomer?

Flags: needinfo?(jkt)

I believe this was fixed in https://github.com/taskcluster/taskcluster/commit/39537e640baee5c279256a4923c0d3b25e0597ea a while back.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.