Setting a CSP with 'self' or 'none' with createHttpServer() makes xpcshell test hang
Categories
(WebExtensions :: General, defect, P2)
Tracking
(firefox-esr78 fixed, firefox79 fixed)
People
(Reporter: t-mozbugs, Assigned: robwu)
Details
Attachments
(1 file)
STR:
- In an xpcshell-test, using createHttpServer().registerPathHandler(), create a page with a Content-security-policy containing the keyword source
'none'or'self'(or most likely any other source containing a', but not a hostname or*). - Then navigate to it using ExtensionTestUtils.loadContentPage().
An example of this is implemented at toolkit/components/extensions/test/xpcshell/test_ext_webRequest_mergecsp.js (see the TODO).
ER:
loadContentPage() loads the page and returns.
AR:
the test gets stuck at the loadContentPage() call, as some dump() statements reveal.
--
This only appears to affect CSPs set by createHttpServer, not policies set by webExtensions.
This was discussed at https://phabricator.services.mozilla.com/D63556
|
||
Comment 1•4 years ago
|
||
Bugbug thinks this bug should belong to this component, but please revert this change in case of error.
|
||
Comment 2•4 years ago
|
||
I'm more inclined right now, without investigating, to think this is an issue in our tests.
|
|
||
Updated•4 years ago
|
|
|
||
Updated•4 years ago
|
|
||
Comment 3•4 years ago
|
||
Because this bug's Severity has not been changed from the default since it was filed, and it's Priority is -- (Backlog,) indicating it has has not been previously triaged, the bug's Severity is being updated to -- (default, untriaged.)
|
|
||
Comment 4•4 years ago
|
||
Because this bug's Severity has not been changed from the default since it was filed, and it's Priority is -- (Backlog,) indicating it has has not been previously triaged, the bug's Severity is being updated to -- (default, untriaged.)
|
|
||
Comment 5•4 years ago
|
||
Because this bug's Severity has not been changed from the default since it was filed, and it's Priority is -- (Backlog,) indicating it has has not been previously triaged, the bug's Severity is being updated to -- (default, untriaged.)
|
|
||
Comment 6•4 years ago
|
||
The severity of these bugs was changed, mistakenly, from normal to S3.
Because these bugs have a priority of --, indicating that they have not been previously triaged, these bugs should be changed to Severity of --.
|
|
||
Updated•4 years ago
|
|
Assignee | |
Comment 7•4 years ago
|
||
I'll fix the issue (explained in the commit message).
I'll also remove the comment because the expectation here is incorrect:
TODO Bug 1623176: this test hangs on .loadContentPage() when using "img-src
'self'" as the page's CSP, which should result in {true, true, true true}!
- Server sends:
image-src 'self'; - Extension 1 removes the CSP header
- Extension 2 sets the CSP header to
image-src example.com
The effective result is image-src example.com, so the first image load is expected to be blocked.
Note that the merging logic is incorrect and will be updated in bug 1635781.
|
|
Assignee | |
Comment 8•4 years ago
|
||
A test used encodeURIComponent on a query string and expected the
resulting URL to be comparable with URLs in a progress listener.
But encodeURIComponent doesn't escape an apostrophe ('), whereas
' is percent-encoded as %27 via nsIURI.
To ensure that it works as expected, use nsIURI::equals to compare
URLs instead of doing string comparisons.
|
||
Updated•4 years ago
|
|
|
Assignee | |
Updated•4 years ago
|
|
|
Assignee | |
Updated•4 years ago
|
Pushed by rob@robwu.nl: https://hg.mozilla.org/integration/autoland/rev/851959efb69a Normalize URI in loadContentPage r=mixedpuppy
|
||
Comment 10•4 years ago
|
||
| bugherder | ||
|
||
Comment 11•4 years ago
|
||
| bugherder uplift | ||
Description
•