CSP/XFO error pages should offer an option to visit the page directly on Android
Categories
(Firefox for Android :: General, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox80 | --- | affected |
People
(Reporter: kbrosnan, Unassigned, Mentored)
References
(Blocks 1 open bug)
Details
(Whiteboard: [geckoview])
Provide the same affordance as bug 1461195 for Android. The button does not show up. Would be good to do the copy update mentioned in bug 1643964 as Android will definitely be opening a new tab.
Updated (simpler) STR:
- Go to https://johann-hofmann.com/frame-tester.html
- Enter https://google.com into the input field to get the error for X-Frame options
- Enter https://www.telegraph.co.uk into the input field to get the error for CSP
For these two error pages, we want to offer the possibility to open the page directly, to do that, we could do that by offering an option like the one shown in the screenshot in comment 0 on the page.
The important part is outlined in comment 5. If we add a link to the page, we need to ensure that we're not opening it with the system principal, so that SameSite=Strict cookies are not set. You can use https://samesite-cookies.glitch.me/ to quickly test whether or not you're loading SameSite cookies. If a link from the error page is sending SameSite cookies, we could fall back to calling window.open() instead, which will hopefully not.
The more challenging part may be writing a test for this. To verify SameSite=Strict cookies aren't loading, we'll need to use a server script in our test.
|
Reporter | |
Updated•5 years ago
|
|
||
Comment 1•5 years ago
|
||
This is front-end code, should probably be filed against Fenix (bug 1461195 shouldn't have been "DOM: Security").
|
||
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
Description
•