Closed Bug 1638826 Opened 4 months ago Closed 4 months ago

A page's CSP base-uri affects pdf.js

Categories

(Core :: DOM: Security, defect, P1)

defect

Tracking

()

RESOLVED FIXED
mozilla78
Tracking Status
firefox78 --- fixed

People

(Reporter: ckerschb, Assigned: ckerschb)

References

Details

(Whiteboard: [domsecurity-active])

Attachments

(1 file)

Within Bug 1582115 we fixed the problem that a page's CSP script-src directive affects pdf.js. It seems a page's base-uri might also affect a pdf.js but uses a different code path within Firefox. While Bug 1582115 was uplifted to Beta, the change here requires some refactoring which is probably to worry-some to uplift that close to the end of the cycle. I rather fix the base-uri problem within this bug as a follow up to Bug 1582115

Pushed by mozilla@christophkerschbaumer.com:
https://hg.mozilla.org/integration/autoland/rev/2b4796470c0b
Make CSP permits function (e.g. restricting base-uri) consult subjectCSP before enforcing CSP. r=baku

huh, rock solid we have that test - I'll take a look!

Flags: needinfo?(ckerschb)
Attachment #9149839 - Attachment description: Bug 1638826: Make CSP permits function (e.g. restricting base-uri) consult subjectCSP before enforcing CSP. r=baku → Bug 1638826: Exempt pdfjs from being subject to CSP permits function. r=baku
Pushed by mozilla@christophkerschbaumer.com:
https://hg.mozilla.org/integration/autoland/rev/85e58f1534d4
Exempt pdfjs from being subject to CSP permits function. r=baku
Status: ASSIGNED → RESOLVED
Closed: 4 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla78
You need to log in before you can comment on or make changes to this bug.