CSP Violation "unknown directive" warning messages are duplicated in webconsole
Categories
(Core :: DOM: Security, defect, P3)
Tracking
()
People
(Reporter: nchevobbe, Assigned: tschuster)
References
(Blocks 1 open bug)
Details
(Keywords: perf-alert, Whiteboard: [domsecurity-backlog1])
Attachments
(1 file)
Steps to reproduce
- Navigate to
data:text/html,<meta http-equiv="Content-Security-Policy" content="navigate-to https://example.com"></meta> - Open the console
Expected results
There's one CSP violation warning message in the console
Content Security Policy: Couldn't process unknown directive "navigate-to"
Actual results
The warning message is duplicated (see the blue bubble on the right side of the message)
According to ckerschbaumer:
I think I know what the reason is, it's because we parse the CSP in the parent for enforcing 'frame-ancestors' and then we re-parse for actual CSP enforcement (so it's kind of expected, though not clean of course)
we should try to not have this duplication.
|
||
Comment 1•4 years ago
|
||
Yeah, we should clean that up. Marking this bug as blocking Bug 1231788, but it has to remain in the backlog for now.
|
||
Updated•1 year ago
|
|
Assignee | |
Comment 2•1 year ago
|
||
|
||
Updated•1 year ago
|
|
|
Assignee | |
Comment 3•1 year ago
|
||
I found test failure that I don't understand combined with bug 1525624. In devtools/client/webconsole/test/browser/browser_webconsole_csp_ignore_reflected_xss_message.js we log the message
Content Security Policy: Not supporting directive ‘reflected-xss’. Directive and values will be ignored.
twice. (Which causes a warning group)
However logging seems to indicate nsCSPParser::logWarningErrorToConsole is only called once.
|
|
Assignee | |
Comment 4•1 year ago
|
||
Nicolas, is it possible that somehow the web console is duplicating the log messages? It really seems to me like the C++ code only logs once, but it still shows up twice and causes a group.
Pushed by tschuster@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/02f4b991d3e3 Suppress CSP parser errors/warnings in certain cases. r=freddyb
|
||
Comment 6•1 year ago
|
||
| bugherder | ||
|
Reporter | |
Comment 7•1 year ago
|
||
(In reply to Tom Schuster (MoCo) from comment #4)
Nicolas, is it possible that somehow the web console is duplicating the log messages? It really seems to me like the C++ code only logs once, but it still shows up twice and causes a group.
The only case I can think of would be for messages being emitted while the console is being open, we could get the message both from the messages cache and from the "live" callback we set, but I think we fixed this in the past and have tests covering such issue.
I can see you landed a patch, so maybe you found the culprit here?
|
|
Assignee | |
Comment 8•1 year ago
|
||
Thanks Nicolas, let's move this discussion to the right bug 1525624.
|
||
Comment 9•1 year ago
|
||
== Change summary for alert #36514 (as of Wed, 21 Dec 2022 13:17:42 GMT) ==
Improvements:
| Ratio | Test | Platform | Options | Absolute values (old vs new) | Performance Profiles |
|---|---|---|---|---|---|
| 9% | pinterest ContentfulSpeedIndex | windows10-64-shippable-qr | fission warm webrender | 516.67 -> 470.50 | |
| 3% | pinterest loadtime | windows10-64-shippable-qr | fission warm webrender | 1,252.31 -> 1,208.79 | |
| 3% | pinterest PerceptualSpeedIndex | windows10-64-shippable-qr | fission warm webrender | 1,310.58 -> 1,275.75 | |
| 2% | pinterest loadtime | macosx1015-64-shippable-qr | fission warm webrender | 1,004.71 -> 983.17 | Before/After |
For up to date results, see: https://treeherder.mozilla.org/perfherder/alerts?id=36514
|
||
Updated•1 year ago
|
|
||
Comment 10•1 year ago
|
||
Reproduced on a 2022-12-18 Nightly build on macOS 12.
Verified as fixed on Firefox 110.0b7(build ID: 20230129190147) and Nightly 111.0a1(build ID: 20230129213553) on macOS 12, Ubuntu 22, Windows 10.
Description
•