Interactive tasks don't work because of CSP errors in latest Firefox nightly
Categories
(Taskcluster :: UI, defect)
Tracking
(Not tracked)
People
(Reporter: glandium, Unassigned)
References
Details
This is what I see in the browser console when opening an interactive task:
Content Security Policy: ページの設定により次のリソースの読み込みをブロックしました: wss://elkk6oyaaaawyx6q7qyxvveee5pautjxrgv3bhgww5abc5en.taskcluster-worker.net:49559/3QuSn8i4S9Clc7SpPVpwdA/shell.sock?tty=true&command=sh&command=-c&command=if%20%5B%20-f%20%22%2Fetc%2Ftaskcluster-motd%22%20%5D%3B%20then%20cat%20%2Fetc%2Ftaskcluster-motd%3B%20fi%3Bif%20%5B%20-z%20%22%24TERM%22%20%5D%3B%20then%20export%20TERM%3Dxterm%3B%20fi%3Bif%20%5B%20-z%20%22%24HOME%22%20%5D%3B%20then%20export%20HOME%3D%2Froot%3B%20fi%3Bif%20%5B%20-z%20%22%24USER%22%20%5D%3B%20then%20export%20USER%3Droot%3B%20fi%3Bif%20%5B%20-z%20%22%24LOGNAME%22%20%5D%3B%20then%20export%20LOGNAME%3Droot%3B%20fi%3Bif%20%5B%20-z%20%60which%20%22%24SHELL%22%60%20%5D%3B%20then%20export%20SHELL%3Dbash%3B%20fi%3Bif%20%5B%20-z%20%60which%20%22%24SHELL%22%60%20%5D%3B%20then%20export%20SHELL%3Dsh%3B%20fi%3Bif%20%5B%20-z%20%60which%20%22%24SHELL%22%60%20%5D%3B%20then%20export%20SHELL%3D%22%2F.taskclusterutils%2Fbusybox%20sh%22%3B%20fi%3BSPAWN%3D%22%24SHELL%22%3Bif%20%5B%20%22%24SHELL%22%20%3D%20%22bash%22%20%5D%3B%20then%20SPAWN%3D%22bash%20-li%22%3B%20fi%3Bif%20%5B%20-f%20%22%2Fbin%2Ftaskcluster-interactive-shell%22%20%5D%3B%20then%20SPAWN%3D%22%2Fbin%2Ftaskcluster-interactive-shell%22%3B%20fi%3Bexec%20%24SPAWN%3B (“connect-src”) client.js:75
The japanese text says the page settings block reading the resources at the url that follows.
Comment 1•5 years ago
|
||
Nothing has changed in the tools site or with docker-worker, and that's a stateless DNS URL like those we've been using for millennia. To my knowledge, docker-worker doesn't have a CSP.
Are you using a nightly Firefox by chance? ETP?
Reporter | ||
Comment 2•5 years ago
•
|
||
Latest nightly. ETP set to "standard"
Comment 3•5 years ago
|
||
Try again with release?
Reporter | ||
Comment 4•5 years ago
|
||
Interesting. It does work with release.
![]() |
||
Comment 6•5 years ago
|
||
(In reply to Mike Hommey [:glandium] from comment #4)
Interesting. It does work with release.
jkt, do you know of anything that might have changed in this area on Nightly?
Comment 7•5 years ago
|
||
I couldn't get the shell to work for me (I couldn't find the button to click on). Do these pages load into an about page? We have progressively been adding CSP to those: https://bugzilla.mozilla.org/show_bug.cgi?id=1492063
We also have changed the serialization format of CSP and moved it from the principal to loadInfo amongst other smaller changes.
Comment 8•5 years ago
|
||
So I got it working in the end and can replicate.
For reference I see the following policy:
Content-Security-Policy: default-src 'none'; connect-src 'self' https: wss://*; media-src data:; script-src 'self' 'unsafe-eval' https:; font-src 'self' data:; img-src 'self' https: data:; style-src https: 'unsafe-inline'; object-src 'none'; frame-ancestors 'self'; frame-src 'self' https://auth.mozilla.auth0.com; base-uri 'none'; form-action 'none'
I'm not actually even sure if we should be blocking this URL anyway: https://github.com/w3c/webappsec-csp/issues/332
Are we sure this is actually being blocked and the error isn't a misnomer?
Comment 9•5 years ago
|
||
I believe this was fixed in https://github.com/taskcluster/taskcluster/commit/39537e640baee5c279256a4923c0d3b25e0597ea a while back.
Description
•