1660417 - CSP entries in ContentSecurityManager log are not valid yaml

Status: RESOLVED FIXED

(Core :: DOM: Security, defect, P2)

Description

[Jens Hausdorf :jens1o [ni? me]]

doContentSecurityCheck:
  - channelURI: chrome://global/skin/in-content/info-pages.css
  - loadingPrincipal: SystemPrincipal
  - triggeringPrincipal: SystemPrincipal
  - principalToInherit: nullptr
  - redirectChain:
  - internalContentPolicyType: TYPE_INTERNAL_STYLESHEET
  - externalContentPolicyType: TYPE_STYLESHEET
  - upgradeInsecureRequests: false
  - initialSecurityChecksDone: false
  - allowDeprecatedSystemRequests: false
  - CSP:
    - default-src chrome: resource:; img-src chrome: resource: data:; object-src 'none'
  - securityFlags:
    - SEC_ALLOW_CROSS_ORIGIN_INHERITS_SEC_CONTEXT
    - SEC_ALLOW_CHROME

various yaml parsers fail at img-src chrome:, e.g.

yaml.scanner.ScannerError: mapping values are not allowed here
  in "<unicode string>", line 13, column 52:
     ... hrome: resource:; img-src chrome: resource: data:; object-src 'none'
                                         ^

Comment 1

[Jens Hausdorf :jens1o [ni? me]]

Attachment: Bug 1660417 - Make sure CSP policy strings are logged as valid yaml r?freddyb

Comment 2

[BugBot [:suhaib / :marco/ :calixte]]

There's a r+ patch which didn't land and no activity in this bug for 2 weeks.
:jens1o, could you have a look please?
For more information, please visit auto_nag documentation.

Comment 3

[Jens Hausdorf :jens1o [ni? me]]

I currently can't take a look at this as my Phabricator account has got disabled and I can't get it reenabled and I am currently waiting for help to get it reinstated.

Comment 4

[Pulsebot]

Pushed by fbraun@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/b447e9956b44
Make sure CSP policy strings are logged as valid yaml r=freddyb,ckerschb

Comment 5

[Andreea Pavel [:apavel]]

https://hg.mozilla.org/mozilla-central/rev/b447e9956b44