Closed Bug 1652257 Opened 5 years ago Closed 5 years ago

Firefox CSP inline script Error w/jQuery on specific site

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Version:
80 Branch
Type:
defect

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: obscenefurr, Unassigned)

Details

Attachments

(3 files, 1 obsolete file)

csp01.jpg
23.80 KB, image/jpeg
Details
csp02.jpg
20.25 KB, image/jpeg
Details
csp03.jpg
26.16 KB, image/jpeg
Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0

Steps to reproduce:

Visited the home page of the website I've been working on, whilst having the console open, confirming new CSP hashes are working for newly added changes, which I checked off for every inline script and style.

Actual results:

Firefox is saying there is an inline script (seen in first attached image) which for one is not inline, and secondly starts in the middle of a seemingly arbitrary variable (seen in the third image).

Chrome is able to accept this script, and has no such error (seen in the second image).

I'm quite sure this is not normal behavior, and I want to make sure my site is fully compatible with Firefox.

Expected results:

The script file is not seen as inline.
The CSP error does not occur.
The script start position on the error is correct.

Bugbug thinks this bug should belong to this component, but please revert this change in case of error.

Component: Untriaged → DOM: Security
Product: Firefox → Core
Attached image csp01.jpg
Attached image csp02.jpg

Attaching a zip, unless it's huge or a ton of files, is a PITA. Please just attach screenshots directly.

Attachment #9163021 - Attachment is obsolete: true
Attached image csp03.jpg

(In reply to Daniel Veditz [:dveditz] from comment #3)

Created attachment 9163595 [details]
csp02.jpg

Attaching a zip, unless it's huge or a ton of files, is a PITA. Please just attach screenshots directly.

It would only let me upload a single file when creating the post

You can always add more attachments later.

The debugger is pointing at a call to "setAttribute". I can't tell from the minimized script what attribute it is at runtime, but if it's, say "onclick" then that statement is creating an inline script. If you're using strict-dynamic I think this is supposed to be fine, but if not then it's an error.

This is not a "parsing" error, this is a runtime error. It's impossible to tell from these screenshots whether it's correct behavior or not. Do you have a public site, or better a small testcase, that shows the problem? jQuery is jQuery, but we can't tell from these shots

  1. what is your CSP
  2. what is your site static HTML
  3. what is your site code doing to cause this call to jQuery that gets detected.
Flags: needinfo?(obscenefurr)
Summary: Firefox CSP Parsing Error → Firefox CSP inline script Error w/jQuery on specific site

We can reopen this if we get more to work with.

Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → INCOMPLETE

(In reply to Daniel Veditz [:dveditz] from comment #7)

  1. what is your CSP

Its a mess, but it's available in the site headers.
There's no fast way to check old hashes I don't need, so they just stay there.
Any time something changes I add a new hash to script-src or style-src.

  1. what is your site static HTML

Static HTML is a hard question, its dynamically generated from php.

  1. what is your site code doing to cause this call to jQuery that gets detected.
    Not sure about that, something internal in wordpress likely.

The site is in open alpha now because I had to bring the firewall down for SEO.
I'm still actively working on content and optimizations.

vps.help

Flags: needinfo?(obscenefurr)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: