CSP errors on the lego.com website when fission enabled
Categories
(Core :: DOM: Security, defect, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | --- | unaffected |
| firefox70 | --- | unaffected |
| firefox71 | --- | unaffected |
| firefox72 | --- | verified |
| firefox75 | --- | disabled |
| firefox76 | --- | disabled |
| firefox77 | --- | verified |
People
(Reporter: karlcow, Assigned: ckerschb)
References
(Regression, )
Details
(Keywords: regression, Whiteboard: [domsecurity-active])
- Go to https://www.lego.com/en-de/categories/holiday-gifts-eu
- See some content appear,
- then a big popover appears where you have to make a choice,
- click on the left side.
Expected:
View a list of products
Actual:
Content is now gone and appears to infinitely load.
mozregression --bad 2019-11-05 --good 2019-10-21
and here we are
10:52.75 INFO: Last good revision: d9d678e7422e0fbf84160b6060452910e8deeb33
10:52.75 INFO: First bad revision: e21ad27bfd0a2fef90919101eaef5aa5af1cc6c2
10:52.75 INFO: Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=d9d678e7422e0fbf84160b6060452910e8deeb33&tochange=e21ad27bfd0a2fef90919101eaef5aa5af1cc6c2
|
Reporter | |
Updated•6 years ago
|
|
||
Updated•6 years ago
|
|
Assignee | |
Comment 1•6 years ago
|
||
I'll take a look.
|
||
Updated•6 years ago
|
|
|
||
Comment 2•6 years ago
|
||
What's our plan here for 72?
|
||
Updated•6 years ago
|
|
|
Assignee | |
Comment 3•6 years ago
|
||
(In reply to Jim Mathies [:jimm] from comment #2)
What's our plan here for 72?
Oh sorry I didn't leave any message within this bug. I just re-tested this problem with the patch from Bug 1593832 applied - the problem disappears. Once Bug 1593832 is merged, I'll re-verify it still works correctly and then mark this as a dup, or convert to a fission bug.
|
||
Updated•6 years ago
|
|
|
Assignee | |
Comment 4•6 years ago
|
||
Summary update:
- The specific problem described in this Bug was fixed by Bug 1593832, hence marking it as fixed for FF72.
- There remains a problem when fission enabled though
|
|
||
Comment 5•6 years ago
|
||
I can still reproduce this bug with Fission enabled in 76 Nightly.
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://dpm.demdex.net/id?d_visid_ver=4.4.0&d_fieldgroup=MC&…9C0A4C98A7%40AdobeOrg&d_nsid=0&d_coppa=true&ts=1584676298234. (Reason: CORS request did not succeed).
|
|
||
Updated•6 years ago
|
|
|
||
Comment 7•6 years ago
|
||
ckerschb says we can defer this bug to Fission Nightly (M6)
|
|
||
Updated•6 years ago
|
|
||
Updated•6 years ago
|
|
|
Assignee | |
Comment 9•6 years ago
|
||
Unfortunately I haven't touched this bug for a long time, but I just tried to reproduce using the STRs from Comment 0 and it works. Reason being most likely is Bug 1599131 where we moved CSP frame-ancestor checks and x-frame-options check entirely into the parent process.
Chris, just to confirm, is that working for you as well? If so, I would like to make this Bug as fixed bug 1599131.
|
|
||
Comment 10•6 years ago
|
||
(In reply to Christoph Kerschbaumer [:ckerschb] from comment #9)
Chris, just to confirm, is that working for you as well? If so, I would like to make this Bug as fixed bug 1599131.
Yep! The Lego page loads correctly for me now.
I'll close this bug as fixed by bug 1599131.
|
||
Updated•6 years ago
|
|
||
Updated•6 years ago
|
|
|
||
Updated•4 years ago
|
|
||
Comment 11•4 years ago
|
||
I was able to reproduce this issue with Fission enabled on an affected Nightly build 72.0a1 (Build ID: 20191118093852), following the STR from Comment 0, on Windows 10 x64.
Due to the fact that on older builds Fission is blocked on false on Beta and Release, this issue is verified as fixed on Nightly 72.0a1 (20191201093732) and 77.0a1 (20200504093644), across the following platforms: Windows 10 x64. macOS 10.15 and Ubuntu 20.04.
Description
•