Setting a CSP with 'self' or 'none' with createHttpServer() makes xpcshell test hang
Categories
(WebExtensions :: General, defect, P2)
Tracking
(firefox-esr78 fixed, firefox79 fixed)
People
(Reporter: t-mozbugs, Assigned: robwu)
Details
Attachments
(1 file)
STR:
- In an xpcshell-test, using createHttpServer().registerPathHandler(), create a page with a Content-security-policy containing the keyword source
'none'
or'self'
(or most likely any other source containing a'
, but not a hostname or*
). - Then navigate to it using ExtensionTestUtils.loadContentPage().
An example of this is implemented at toolkit/components/extensions/test/xpcshell/test_ext_webRequest_mergecsp.js
(see the TODO).
ER:
loadContentPage()
loads the page and returns.
AR:
the test gets stuck at the loadContentPage()
call, as some dump()
statements reveal.
--
This only appears to affect CSPs set by createHttpServer
, not policies set by webExtensions.
This was discussed at https://phabricator.services.mozilla.com/D63556
Comment 1•4 years ago
|
||
Bugbug thinks this bug should belong to this component, but please revert this change in case of error.
Comment 2•4 years ago
|
||
I'm more inclined right now, without investigating, to think this is an issue in our tests.
Updated•4 years ago
|
Updated•4 years ago
|
Comment 3•4 years ago
|
||
Because this bug's Severity has not been changed from the default since it was filed, and it's Priority is --
(Backlog,) indicating it has has not been previously triaged, the bug's Severity is being updated to --
(default, untriaged.)
Comment 4•4 years ago
|
||
Because this bug's Severity has not been changed from the default since it was filed, and it's Priority is --
(Backlog,) indicating it has has not been previously triaged, the bug's Severity is being updated to --
(default, untriaged.)
Comment 5•4 years ago
|
||
Because this bug's Severity has not been changed from the default since it was filed, and it's Priority is --
(Backlog,) indicating it has has not been previously triaged, the bug's Severity is being updated to --
(default, untriaged.)
Comment 6•4 years ago
|
||
The severity of these bugs was changed, mistakenly, from normal
to S3
.
Because these bugs have a priority of --
, indicating that they have not been previously triaged, these bugs should be changed to Severity of --
.
Updated•4 years ago
|
Assignee | ||
Comment 7•4 years ago
|
||
I'll fix the issue (explained in the commit message).
I'll also remove the comment because the expectation here is incorrect:
TODO Bug 1623176: this test hangs on .loadContentPage() when using "img-src
'self'" as the page's CSP, which should result in {true, true, true true}!
- Server sends:
image-src 'self';
- Extension 1 removes the CSP header
- Extension 2 sets the CSP header to
image-src example.com
The effective result is image-src example.com
, so the first image load is expected to be blocked.
Note that the merging logic is incorrect and will be updated in bug 1635781.
Assignee | ||
Comment 8•4 years ago
|
||
A test used encodeURIComponent
on a query string and expected the
resulting URL to be comparable with URLs in a progress listener.
But encodeURIComponent
doesn't escape an apostrophe ('
), whereas
'
is percent-encoded as %27
via nsIURI.
To ensure that it works as expected, use nsIURI::equals
to compare
URLs instead of doing string comparisons.
Updated•4 years ago
|
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Updated•4 years ago
|
Pushed by rob@robwu.nl: https://hg.mozilla.org/integration/autoland/rev/851959efb69a Normalize URI in loadContentPage r=mixedpuppy
Comment 10•4 years ago
|
||
bugherder |
Comment 11•4 years ago
|
||
bugherder uplift |
Description
•