Closed Bug 1668071 Opened 4 years ago Closed 4 years ago

Failure to load html in frame with frame-ancestors directive

Categories

(Core :: DOM: Security, defect, P2)

Product:
Core
Component:
DOM: Security
Version:
Firefox 81
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
83 Branch
Tracking Flags:
Tracking Status
firefox83 --- fixed

People

(Reporter: scottsd, Assigned: ckerschb)

References

Details

(Whiteboard: [domsecurity-active])

Attachments

(3 files)

CSPContent.csp.log.moz_log
5.20 KB, text/plain
Details
ErrorPage.html
7.52 KB, text/html
Details
Bug 1668071: Use Principal URI instead of document URI when doing CSP frame-ancestors checks so origins which inherit the security context work correctly. r=smaug
47 bytes, text/x-phabricator-request
Details | Review

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36

Steps to reproduce:

We have a content security policy with a frame-src and frame-ancestors directive, but while Chrome loads the iframe successfully, Firefox doesn't.

Here's our full CSP Policy (notice the settings for frame-ancestors):

frame-ancestors: *.walkmetest.apps.suite-ocp-dev.cp.fyre.ibm.com 'self'; default-src 'self'; connect-src 'self' https://*.kampyle.com https://*.ibm.com https://*.bluemix.net wss://*.ibmcloud.com https://*.medallia.eu https://*.segment.io https://admin.walkmetest.apps.suite-ocp-dev.cp.fyre.ibm.com https://*.braze.com; script-src 'self' https://*.kampyle.com https://*.ibm.com https://*.bluemix.net https://*.braze.com https://*.medallia.eu https://*.lpsnmedia.net https://*.segment.com https://*.truste.com https://*.trustarc.com https://admin.walkmetest.apps.suite-ocp-dev.cp.fyre.ibm.com 'unsafe-eval' 'unsafe-inline'; img-src 'self' data: blob: https://*.kampyle.com https://*.ibm.com https://*.walkmeusercontent.com https://*.cloudfront.net; style-src 'self' 'unsafe-inline' blob: https://*.ibm.com; font-src 'self' https://fonts.gstatic.com https://*.ibm.com data: https://1.www.s81c.com https://*.medallia.eu https://*.s81c.com; frame-src 'self' https://*.trustarc.com https://*.truste.com https://admin.walkmetest.apps.suite-ocp-dev.cp.fyre.ibm.com;

Actual results:

I turned up debugging to show the CSPContext logs from Firefox when trying to determine whether this page should load or not and have it attached in the log

If I turn off the frame-ancestors setting (and X-Frame-Options) entirely the frame loads fine, but this of course causes a security hole in our app, so I would like to prevent this.

Expected results:

I believe the frame should have loaded successfully with these frame-ancestors. Instead it shows the error page for about:blank with an CSP error highlighed

I'm also seeing this in the logs
Strict-Transport-Security: The connection to the site is untrustworthy, so the specified header was ignored.
CDhiddenIframe.compress.html
This error page has no error code in its security info aboutNetError.js:585:13
Strict-Transport-Security: The connection to the site is untrustworthy, so the specified header was ignored.
dashboardpins

Attached file ErrorPage.html

this is the error page that's shown in the hidden iFrame pointing to CSP issues

sorry, that frame-ancestor setting was an old one we were trying, here's our actual frame ancestors:
frame-ancestors https://*.walkmetest.apps.suite-ocp-dev.cp.fyre.ibm.com 'self'

Bugbug thinks this bug should belong to this component, but please revert this change in case of error.

Component: Untriaged → DOM: Core & HTML
Product: Firefox → Core
Component: DOM: Core & HTML → DOM: Security

Thank you for reporting - that one seems valid - I'll take a look ASAP.

Flags: needinfo?(ckerschb)

Hey Scott, thanks again for reporting. I do think this is a valid bug though given the information provided I was not able to reproduce it as of now. I see that in your provided CSP-log it seems that permitsInternal blocks about:blank before even cehcking the actual URI - so potentially Firefox is incorrectly accounting for a blank iframe first.

Is it possible in any way that you provide a live testcase which would allow me to reproduce the problem? Having a shared testcase would be best to identify and fix the problem. If that is not possible for any reason, could you maybe share a code snipped on how you exactly create the iframe that is blocked?

Flags: needinfo?(ckerschb) → needinfo?(scottsd)
Assignee: nobody → ckerschb
Priority: -- → P2
Whiteboard: [domsecurity-active]

it's a bit tricky unfortunately because we're relying on Walkme's library for tutorials, and they own the actual code adding the iframe that's failing, I'll reach out to support@walkme.com for more information but let me send you what I can see in their code in the meantime.

This appears to be the function that initializes the iFrame the first time

var n="walkme-proxy-iframe";(t=document.getElementById(n))?e():t=J("about:blank",n,!1,e,null,null,!0)}(function(){try{ne("initProxyHiddenIframeDone",{mark:!0,level:1,measureName:"initProxyIframe",startMark:"initProxyHiddenIframeStart"});var e=mtjQuery(t).contents(),n=t.contentWindow||t.window;q(e.find("body")[0]),ne("initIframeMessageSenderStart",{mark:!0,level:1}),function(e,n,t){if(n.document.getElementById("wm-hidden-iframe-script"))return;var r=n.document.createElement("script");r.type="text/javascript",r.id="wm-hidden-iframe-script",r.async=!0,r.src=$(),window._walkmeInternals.hiddenIframeCallback=t,e.find("head")[0].appendChild(r)}(e,n,function(){ne("initIframeMessageSenderDone",{level:1,measureName:"injectMessageSender",startMark:"initIframeMessageSenderStart"}),window._walkmeInternals.hiddenIframeCallbackCalled=!0})}catch(e){}})):n&&q()}(),r.WaitDocumentReady?(p("wdr"),mtjQuery(document).ready(function(){ne("jQueryDocumentReadyEvent",{measureName:"jQueryDocumentReady",startMark:"jQueryScriptLoaded"}),b(r)})):(p("ndr"),b(r))}function b(e){ne("jQueryDocumentReady");try{(t=I(n=e))&&""!=t?(ne("preLibStartLoad",{mark:!0}),window["walkme_pre_lib_loaded"]=function(){window["walkme_pre_lib_loaded"]=function(){try{console.log("walkme_pre_lib_loaded was called twice.")}catch(e){}},E(n)},z(t)):E(n)}catch(e){}var n,t}function S(e){try{var n=Z("wm_load_test_"+g+"_"+f),t=parseInt(n);if(t)return ne("startLoadingTest"),_walkmeInternals.loadingTestDone=function(){ne("endLoadingTest"),_walkmeInternals.loadingTestDone=void 0,e&&e()},

Where as the J function is this

function J(e,n,t,r,i,a,o,s){a=a||document.body;var l=document.createElement("iframe");try{a.appendChild(l)}catch(e){l=a.ownerDocument.createElement("iframe"),a.appendChild(l)}if(l.id=n,o||(l.className="walkme-to-remove"),t||(l.style.cssText="display:none;visibility:hidden;"),s)for(var d in s)s.hasOwnProperty(d)&&l.setAttribute(d,s[d]);return l.addEventListener("load",function e(n){l.removeEventListener&&l.removeEventListener("load",e),r&&r(n)},!1),l.src=e,l}

This is the content of the actual html that's trying to be loaded into the iFrame

<!doctype html><html><body><script type="text/javascript">var _walkmeEv={Ev:function(src){return eval(src)}};!function(){var l="WalkMe_testStorage",i={Cookies:"cookies",LocalStorage:"localStorage",IndexedDB:"indexedDB"},n=/^[a-zA-Z\d]{1,45}$/,r={checkCanSave:"checkCanSave",getAllMultiple:"getAllMultiple",set:"set",delete:"delete",add:"add",addSet:"addSet",get:"get",setSession:"setSession",getSession:"getSession",increment:"increment",getOrSetAndGet:"getOrSetAndGet",terminate:"terminate",remove:"remove",initBroadcastChannel:"initBroadcastChannel"},k={};"object"!=typeof JSON&&(JSON={}),function(){"use strict";function e(e){return e<10?"0"+e:e}"function"!=typeof Date.prototype.toJSON&&(Date.prototype.toJSON=function(){return isFinite(this.valueOf())?this.getUTCFullYear()+"-"+e(this.getUTCMonth()+1)+"-"+e(this.getUTCDate())+"T"+e(this.getUTCHours())+":"+e(this.getUTCMinutes())+":"+e(this.getUTCSeconds())+"Z":null},String.prototype.toJSON=Number.prototype.toJSON=Boolean.prototype.toJSON=function(){return this.valueOf()});var f,l,g,n=/[\u0000\u00ad\u0600-\u0604\u070f\u17b4\u17b5\u200c-\u200f\u2028-\u202f\u2060-\u206f\ufeff\ufff0-\uffff]/g,t=/[\\\"\x00-\x1f\x7f-\x9f\u00ad\u0600-\u0604\u070f\u17b4\u17b5\u200c-\u200f\u2028-\u202f\u2060-\u206f\ufeff\ufff0-\uffff]/g,r={"\b":"\\b","\t":"\\t","\n":"\\n","\f":"\\f","\r":"\\r",'"':'\\"',"\\":"\\\\"};function d(e){return t.lastIndex=0,t.test(e)?'"'+e.replace(t,function(e){var t=r[e];return"string"==typeof t?t:"\\u"+("0000"+e.charCodeAt(0).toString(16)).slice(-4)})+'"':'"'+e+'"'}"function"!=typeof JSON.stringify&&(JSON.stringify=function(e,t,n){var r;if(l=f="","number"==typeof n)for(r=0;r<n;r+=1)l+=" ";else"string"==typeof n&&(l=n);if((g=t)&&"function"!=typeof t&&("object"!=typeof t||"number"!=typeof t.length))throw new Error("stringify");return function e(t,n){var r,i,o,s,a,u=f,c=n[t];switch(c&&"object"==typeof c&&"function"==typeof c.toJSON&&(c=c.toJSON(t)),"function"==typeof g&&(c=g.call(n,t,c)),typeof c){case"string":return d(c);case"number":return isFinite(c)?String(c):"null";case"boolean":case"null":return String(c);case"object":if(!c)return"null";if(f+=l,a=[],"[object Array]"===Object.prototype.toString.apply(c)){for(s=c.length,r=0;r<s;r+=1)a[r]=e(r,c)||"null";return o=0===a.length?"[]":f?"[\n"+f+a.join(",\n"+f)+"\n"+u+"]":"["+a.join(",")+"]",f=u,o}if(g&&"object"==typeof g)for(s=g.length,r=0;r<s;r+=1)"string"==typeof g[r]&&(o=e(i=g[r],c))&&a.push(d(i)+(f?": ":":")+o);else for(i in c)Object.prototype.hasOwnProperty.call(c,i)&&(o=e(i,c))&&a.push(d(i)+(f?": ":":")+o);return o=0===a.length?"{}":f?"{\n"+f+a.join(",\n"+f)+"\n"+u+"}":"{"+a.join(",")+"}",f=u,o}}("",{"":e})}),"function"!=typeof JSON.parse&&(JSON.parse=function(e,s){var t;if(e=String(e),n.lastIndex=0,n.test(e)&&(e=e.replace(n,function(e){return"\\u"+("0000"+e.charCodeAt(0).toString(16)).slice(-4)})),/^[\],:{}\s]*$/.test(e.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g,"@").replace(/"[^"\\\n\r]*"|true|false|null|-?\d+(?:\.\d*)?(?:[eE][+\-]?\d+)?/g,"]").replace(/(?:^|:|,)(?:\s*\[)+/g,"")))return t=_walkmeEv.Ev("("+e+")"),"function"==typeof s?function e(t,n){var r,i,o=t[n];if(o&&"object"==typeof o)for(r in o)Object.prototype.hasOwnProperty.call(o,r)&&(void 0!==(i=e(o,r))?o[r]=i:delete o[r]);return s.call(t,n,o)}({"":t},""):t;throw new SyntaxError("parse")})}();var y,o,s,a,I=JSON,e=(y=String.fromCharCode,o="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+-$",s={},a={compressToEncodedURIComponent:function(e){return null==e?"":a._compress(e,6,function(e){return o.charAt(e)})},decompressFromEncodedURIComponent:function(t){return null==t?"":""==t?null:(t=t.replace(/ /g,"+"),a._decompress(t.length,32,function(e){return function(e,t){if(!s[e]){s[e]={};for(var n=0;n<e.length;n++)s[e][e.charAt(n)]=n}return s[e][t]}(o,t.charAt(e))}))},compress:function(e){return a._compress(e,16,function(e){return y(e)})},_compress:function(e,t,n){if(null==e)return"";var r,i,o,s={},a={},u="",c="",f="",l=2,g=3,d=2,p=[],v=0,h=0;for(o=0;o<e.length;o+=1)if(u=e.charAt(o),Object.prototype.hasOwnProperty.call(s,u)||(s[u]=g++,a[u]=!0),c=f+u,Object.prototype.hasOwnProperty.call(s,c))f=c;else{if(Object.prototype.hasOwnProperty.call(a,f)){if(f.charCodeAt(0)<256){for(r=0;r<d;r++)v<<=1,h==t-1?(h=0,p.push(n(v)),v=0):h++;for(i=f.charCodeAt(0),r=0;r<8;r++)v=v<<1|1&i,h==t-1?(h=0,p.push(n(v)),v=0):h++,i>>=1}else{for(i=1,r=0;r<d;r++)v=v<<1|i,h==t-1?(h=0,p.push(n(v)),v=0):h++,i=0;for(i=f.charCodeAt(0),r=0;r<16;r++)v=v<<1|1&i,h==t-1?(h=0,p.push(n(v)),v=0):h++,i>>=1}0==--l&&(l=Math.pow(2,d),d++),delete a[f]}else for(i=s[f],r=0;r<d;r++)v=v<<1|1&i,h==t-1?(h=0,p.push(n(v)),v=0):h++,i>>=1;0==--l&&(l=Math.pow(2,d),d++),s[c]=g++,f=String(u)}if(""!==f){if(Object.prototype.hasOwnProperty.call(a,f)){if(f.charCodeAt(0)<256){for(r=0;r<d;r++)v<<=1,h==t-1?(h=0,p.push(n(v)),v=0):h++;for(i=f.charCodeAt(0),r=0;r<8;r++)v=v<<1|1&i,h==t-1?(h=0,p.push(n(v)),v=0):h++,i>>=1}else{for(i=1,r=0;r<d;r++)v=v<<1|i,h==t-1?(h=0,p.push(n(v)),v=0):h++,i=0;for(i=f.charCodeAt(0),r=0;r<16;r++)v=v<<1|1&i,h==t-1?(h=0,p.push(n(v)),v=0):h++,i>>=1}0==--l&&(l=Math.pow(2,d),d++),delete a[f]}else for(i=s[f],r=0;r<d;r++)v=v<<1|1&i,h==t-1?(h=0,p.push(n(v)),v=0):h++,i>>=1;0==--l&&(l=Math.pow(2,d),d++)}for(i=2,r=0;r<d;r++)v=v<<1|1&i,h==t-1?(h=0,p.push(n(v)),v=0):h++,i>>=1;for(;;){if(v<<=1,h==t-1){p.push(n(v));break}h++}return p.join("")},decompress:function(t){return null==t?"":""==t?null:a._decompress(t.length,32768,function(e){return t.charCodeAt(e)})},_decompress:function(e,t,n){var r,i,o,s,a,u,c,f=[],l=4,g=4,d=3,p="",v=[],h={val:n(0),position:t,index:1};for(r=0;r<3;r+=1)f[r]=r;for(o=0,a=4,u=1;u!=a;)s=h.val&h.position,h.position>>=1,0==h.position&&(h.position=t,h.val=n(h.index++)),o|=(0<s?1:0)*u,u<<=1;switch(o){case 0:for(o=0,a=256,u=1;u!=a;)s=h.val&h.position,h.position>>=1,0==h.position&&(h.position=t,h.val=n(h.index++)),o|=(0<s?1:0)*u,u<<=1;c=y(o);break;case 1:for(o=0,a=65536,u=1;u!=a;)s=h.val&h.position,h.position>>=1,0==h.position&&(h.position=t,h.val=n(h.index++)),o|=(0<s?1:0)*u,u<<=1;c=y(o);break;case 2:return""}for(i=f[3]=c,v.push(c);;){if(h.index>e)return"";for(o=0,a=Math.pow(2,d),u=1;u!=a;)s=h.val&h.position,h.position>>=1,0==h.position&&(h.position=t,h.val=n(h.index++)),o|=(0<s?1:0)*u,u<<=1;switch(c=o){case 0:for(o=0,a=256,u=1;u!=a;)s=h.val&h.position,h.position>>=1,0==h.position&&(h.position=t,h.val=n(h.index++)),o|=(0<s?1:0)*u,u<<=1;f[g++]=y(o),c=g-1,l--;break;case 1:for(o=0,a=65536,u=1;u!=a;)s=h.val&h.position,h.position>>=1,0==h.position&&(h.position=t,h.val=n(h.index++)),o|=(0<s?1:0)*u,u<<=1;f[g++]=y(o),c=g-1,l--;break;case 2:return v.join("")}if(0==l&&(l=Math.pow(2,d),d++),f[c])p=f[c];else{if(c!==g)return null;p=i+i.charAt(0)}v.push(p),f[g++]=i+p.charAt(0),i=p,0==--l&&(l=Math.pow(2,d),d++)}}});function b(e){try{console.log("Error: "+e)}catch(e){}}function t(t,n){var r=function(){n&&n(!1)};try{t.setItem(l,l,l,function(){t.getItem(l,l,function(e){t.removeItem(l,l,void 0,void 0,!0),n(e==l)},r,!0)},r,!1,!0)}catch(e){r()}}function T(t,n,r,i,o,s,a){t.getItem(n,r,function(e){(e=e||{value:0}).value!==o&&e.value++,e.saveTime=(new Date).getTime(),e.expireSeconds=i,t.setItem(n,r,e,function(){s&&s(e.value)},a)},a)}function x(t,n,r,i,o,s,a){t.getItem(n,r,function(e){e?s&&s(I.parse(e.value)):(e={value:I.stringify(o),saveTime:(new Date).getTime(),expireSeconds:i},t.setItem(n,r,e,function(){s&&s(o)},a))},a)}function u(e,t){return t.extraData&&t.extraData.envName&&n.test(t.extraData.envName)?e+"_"+t.extraData.envName:e}k.Compressor=e;var c,f,g;function d(){var d,s=this,p=";path=/",n=";domain=",r=";expires=",i=";secure",o=";SameSite=None",a=";SameSite=Lax",u="=",v="***DEL***",h="WalkMeStorage_",y=63072e3,m=4096,c="";function f(){return"https:"===window.location.protocol}function l(e,t,n,r){var i=h+e;!function(e,t){var n,r,i=document.cookie.split(";");for(r=0;r<i.length;r++)0===(n=(n=i[r].substr(0,i[r].indexOf("="))).replace(/^\s+|\s+$/g,"")).indexOf(e)&&S(n,v,-1*y,t)}(i,r);var o=I.stringify(t);d&&(o=d.compressToEncodedURIComponent(o)),"string"!=typeof o&&(o=o.toString()),-1<o.indexOf(";")&&o.replace(";","");for(var s,a,u,c,f=function(e,t){for(var n=[],r=0,i=e.length;r<i;r+=t)n.push(e.substring(r,r+t));return n}(o,(s=i,a=r,u=w(n),c=b(a),m-(s.length+3+u.length+c.length+p.length))),l=0;l<f.length;l++){var g=i;0<l&&(g+="_"+l),S(g,f[l],n,r)}}function S(e,t,n,r){var i=w(n),o=b(r),s=t+i+p+o;document.cookie=e+u+s+c}function w(e){var t="";if(0!=e&&!isNaN(e)){var n=new Date;n.setTime(n.getTime()+1e3*e),t=r+n.toUTCString()}return t}function b(e){var t="";return e&&0<e.length&&(t=n+e),t}function g(e){var t,n=document.cookie.split(";"),r=h+e;if(t=function(e,t){var n,r="";for(n=0;n<O(e);n++){var i=0===n?t:t+"_"+n;e.hasOwnProperty(i)&&(r+=e[i])}return r}(function(e,t){var n,r,i,o={};for(i=0;i<e.length;i++)n=e[i].substr(0,e[i].indexOf("=")),r=e[i].substr(e[i].indexOf("=")+1),0===(n=n.replace(/^\s+|\s+$/g,"")).indexOf(t)&&(o[n]=r);return o}(n,r),r),d&&(t=d.decompressFromEncodedURIComponent(t)),!t||t==v)return{};try{return I.parse(t)||{}}catch(e){return{}}}function O(e){var t=0;for(var n in e)e.hasOwnProperty(n)&&t++;return t}s.init=function(e,t){t&&t()},s.testConnection=function(e){t(s,e)},this.setItem=function(e,t,n,r,i){try{var o=g(e);o[t]=n,l(e,o,y),r&&r()}catch(e){i&&i(e)}},this.getItem=function(e,t,n,r){try{var i=g(e);n&&n(i[t])}catch(e){r&&r(e)}},this.getAll=function(e,t,n){try{var r=g(e),i=[];for(var o in r){var s=r[o];void 0!==s&&i.push({key:o,saveObj:s})}t&&t(i)}catch(e){n&&n(e)}},this.removeItem=function(e,t,n,r){try{var i=g(e);delete i[t],l(e,i,y),n&&n()}catch(e){r&&r(e)}},this.increment=function(e,t,n,r,i,o){T(s,e,t,n,r,i,o)},this.getOrSetAndGet=function(e,t,n,r,i,o){x(s,e,t,n,r,i,o)},function(){d=k.Compressor;var e,t=((e={init:function(){this.browser=this.searchString(this.dataBrowser)||"An unknown browser",this.version=this.searchVersion(navigator.userAgent)||this.searchVersion(navigator.appVersion)||"an unknown version",this.OS=this.searchString(this.dataOS)||"an unknown OS"},searchString:function(e){for(var t=0;t<e.length;t++){var n=e[t].string,r=e[t].prop;if(this.versionSearchString=e[t].versionSearch||e[t].identity,n){if(-1!=n.indexOf(e[t].subString))return e[t].identity}else if(r)return e[t].identity}},searchVersion:function(e){var t=e.indexOf(this.versionSearchString);if(-1!=t)return parseFloat(e.substring(t+this.versionSearchString.length+1))},dataBrowser:[{string:navigator.userAgent,subString:"Chrome",identity:"Chrome"},{string:navigator.userAgent,subString:"OmniWeb",versionSearch:"OmniWeb/",identity:"OmniWeb"},{string:navigator.vendor,subString:"Apple",identity:"Safari",versionSearch:"Version"},{prop:window.opera,identity:"Opera",versionSearch:"Version"},{string:navigator.vendor,subString:"iCab",identity:"iCab"},{string:navigator.vendor,subString:"KDE",identity:"Konqueror"},{string:navigator.userAgent,subString:"Firefox",identity:"Firefox"},{string:navigator.vendor,subString:"Camino",identity:"Camino"},{string:navigator.userAgent,subString:"Netscape",identity:"Netscape"},{string:navigator.userAgent,subString:"MSIE",identity:"Explorer",versionSearch:"MSIE"},{string:navigator.userAgent,subString:"Trident",identity:"Explorer",versionSearch:" rv"},{string:navigator.userAgent,subString:"Edge",identity:"Edge"},{string:navigator.userAgent,subString:"Gecko",identity:"Mozilla",versionSearch:"rv"},{string:navigator.userAgent,subString:"Mozilla",identity:"Netscape",versionSearch:"Mozilla"}],dataOS:[{string:navigator.platform,subString:"Win",identity:"Windows"},{string:navigator.platform,subString:"Mac",identity:"Mac"},{string:navigator.userAgent,subString:"iPhone",identity:"iPhone/iPod"},{string:navigator.platform,subString:"Linux",identity:"Linux"}]}).init(),e);c="Safari"===t.browser?f()?i:a:f()?o+i:a}.apply(null,arguments)}function p(){var l,g,s=this,d=/\[guid=(.+) dict=(.+) key=([\s\S]+)\]$/,p=/\[guid=(.+) key=([\s\S]+)\]$/,v=1;function n(){g=!1}function u(e,t){for(var n=h(e),r=0;r<n.length;r++){var i=n[r],o=d.exec(i);o&&o[v]==e&&o[2]==t&&(y(e,i),l.removeItem(i))}}s.testConnection=function(e){t(s,e)},s.init=function(e,t){try{!function(e){var t="WalkMeStorage_"+e,n=l.getItem(t);if(n){var r=I.parse(n);for(var i in r)r.hasOwnProperty(i)&&s.setItem(e,i,r[i])}l.removeItem(t)}(e)}catch(e){b("error upgrading old data error="+e)}window.addEventListener?window.addEventListener("storage",n,!1):window.attachEvent&&document.attachEvent("onstorage",n),t&&t()},s.terminate=function(){window.removeEventListener?window.removeEventListener("storage",n,!1):window.attachEvent&&document.detachEvent("onstorage",n)},s.setItem=function(e,t,n,r,i,o,s){try{var a;s?a=t:f(e,a=S(e,t)),l.setItem(a,I.stringify(n)),(o||void 0===o)&&u(e,t),r&&r()}catch(e){i&&i(e)}},this.getItem=function(e,t,n,r,i){try{var o=i?t:S(e,t),s=l.getItem(o);s&&(s=I.parse(s)),n&&n(s)}catch(e){r&&r(e)}},this.getAll=function(e,t,n){if(g)t&&t();else try{for(var r=[],i=function(e,t){for(var n={},r=h(e),i=0;i<r.length;i++){var o=r[i],s=d.exec(o);s&&s[v]==e&&(n[s[2]]||(n[s[2]]={}),n[s[2]][s[3]]=I.parse(l.getItem(o)))}return n}(e),o=h(e),s=0;s<o.length;s++){var a=o[s],u=p.exec(a);if(u&&u[v]==e){var c=u[2],f=I.parse(l.getItem(a));c&&null!=f&&(i[c]&&(f.value=I.stringify(i[c])),r.push({key:c,saveObj:f}))}}g=!0,t&&t(r)}catch(e){n&&n(e)}},this.removeItem=function(e,t,n,r,i){try{var o;i?o=t:y(e,o=S(e,t)),l.removeItem(o),i||u(e,t),n&&n()}catch(e){r&&r(e)}},this.increment=function(e,t,n,r,i,o){T(s,e,t,n,r,i,o)},this.getOrSetAndGet=function(e,t,n,r,i,o){x(s,e,t,n,r,i,o)},this.addToDictionary=function(e,t,n,r){var i=w(e,t,n);f(e,i),l.setItem(i,I.stringify(r))},this.removeFromDictionary=function(e,t,n){var r=w(e,t,n);y(e,r),l.removeItem(r)};var r="-keys",i="-keysV2",o=";|~",a=new RegExp(";","g");function h(e){var t=l.getItem(e+i);return t||(t=l.getItem(e+r))&&(t=t.replace(a,o),l.removeItem(e+r),l.setItem(e+i,t)),t?t=t.split(o):c(e,t=function(e){for(var t,n=[],r=0;r<l.length;r++){t=l.key(r);var i=/\[guid=(.+) .+\]$/.exec(t);i&&i[v]==e&&n.push(t)}return n}(e)),t}function c(e,t){l.setItem(e+i,t.join(o))}function f(e,t){var n=h(e);-1==m(t,n)&&(n.push(t),c(e,n))}function y(e,t){var n=h(e),r=m(t,n);-1<r&&(n.splice(r,1),c(e,n))}function m(e,t){for(var n=0;n<t.length;n++)if(t[n]==e)return n;return-1}function S(e,t){return"WMS[guid="+e+" key="+t+"]"}function w(e,t,n){return"WMS[guid="+e+" dict="+t+" key="+n+"]"}(function(){try{l=window.localStorage}catch(e){b("local storage is blocked by browser settings error="+e)}}).apply(null,arguments)}function v(){var s,a,o,n,e=this,u=0,c=0;function f(e,t,n,r,i){1e4<++u&&(u=0);var o=I.stringify({action:e,guid:t,obj:n,num:u});a[u]={success:r,failed:i},c++,s.postMessage(o)}function r(e){if(!o){var t=I.parse(e.data);if("ready"==t){for(var n=0;n<a.init.length;n++)a.init[n]();a.init.length=0}else{c--;var r=t.num,i=a[r];delete a[r],t.success?i&&i.success&&i.success(t.obj):i&&i.failed&&i.failed(t.obj)}}}function i(){0<c&&function(e){for(var t=(new Date).getTime(),n=0;n<1e7&&!((new Date).getTime()-t>e);n++);}(150)}e.init=function(e,t){s||((s=new Worker("indexedDbManager.js")).onmessage=r,window.onbeforeunload=i),t&&(n?t():a.init.push(t))},e.testConnection=function(e){e&&f("test",l,null,function(){e(!0)},function(){e(!1)})},e.terminate=function(){o=!0,s&&s.terminate()},e.setItem=function(e,t,n,r,i,o){f("set",e,{key:t,value:n,clearDict:o},r,i)},e.getItem=function(e,t,n,r){f("get",e,{key:t},n,r)},e.getAll=function(e,t,n){f("all",e,null,t,n)},e.removeItem=function(e,t,n,r){f("del",e,{key:t},n,r)},e.addToSet=function(e,t,n,r,i){f("addSet",e,{key:t,value:n},r,i)},this.addToDictionary=function(e,t,n,r,i,o){f("add",e,{dict:t,key:n,value:r},i,o)},this.removeFromDictionary=function(e,t,n,r,i){f("rem",e,{dict:t,key:n},r,i)},this.increment=function(e,t,n,r,i,o){f("inc",e,{key:t,ttl:n,lastValue:r},i,o)},this.getOrSetAndGet=function(e,t,n,r,i,o){f("getOrSet",e,{key:t,ttl:n,fallbackValue:r},i,o)},function(){a={init:[function(){n=!0}]}}.apply(null,arguments)}function h(){c||((c=new BroadcastChannel("wm-channel")).onmessage=function(e){var t,n=Object.assign({},e.data);delete n.toBC,t=Object.assign({fromBC:!0},n),window.parent.postMessage(t,"*")},window.onbeforeunload=function(){c.close()})}var m=new function(){var r;this.set=function(e){var t="WMS_"+e.userGuid+e.key;r.setItem(t,e.value)},this.get=function(e){var t="WMS_"+e.userGuid+e.key,n=r.getItem(t);return void 0===n&&(n=e.defaultValue),n},function(){r=window.sessionStorage}.apply(null,arguments)};function S(e,t,n,r){try{if(!f||f!=e)switch(f=e){case i.Cookies:g=new d;break;case i.IndexedDB:g=new v;break;default:g=new p}g.init(t,n)}catch(e){r&&r(e)}}function w(e){try{var t=I.parse(e.data);if(t.toBC&&c)return void c.postMessage(t);if(n=t.requestType,!r[n])return;t.plainUserGuid=t.userGuid,t.userGuid=u(t.userGuid,t),O(t,e)}catch(e){}var n}function O(t,n){if(t.requestType===r.checkCanSave)S(t.saveMode,t.userGuid,function(){var e;e=function(e){n.source.postMessage(I.stringify({key:t.requestType,canSave:e}),"*")},g.testConnection(e)});else if(t.requestType===r.getAllMultiple)!function(e,t,n){var r=function(){n&&n()};try{var i={};g.getAll(e,function(e){e&&(i[t]=e),n&&n(i)},r)}catch(e){b(e),r()}}(t.userGuid,t.plainUserGuid,function(e){n.source.postMessage(I.stringify({key:t.requestType,allValues:e}),"*")});else if(t.requestType===r.set)g.setItem(t.userGuid,t.key,t.saveObj);else if(t.requestType===r.delete)g.removeItem(t.userGuid,t.key);else if(t.requestType===r.add)!function(r,i,o,s){if(g.addToDictionary)for(var e in g.setItem(r,i,s,null,null,!1),o)o.hasOwnProperty(e)&&g.addToDictionary(r,i,e,o[e]);else g.getItem(r,i,function(e){var t={};for(var n in e&&e.value&&(t=I.parse(e.value)||{}),o)o.hasOwnProperty(n)&&(t[n]=o[n]);s.value=I.stringify(t),g.setItem(r,i,s)})}(t.userGuid,t.key,t.keyValues,t.saveObj);else if(t.requestType===r.addSet)i=t.userGuid,o=t.key,s=t.saveObj,g.addToSet?g.addToSet(i,o,s):g.getItem(i,o,function(e){var t=[];e&&e.value&&(t=I.parse(e.value)||[]);for(var n=s.value,r=0;r<n.length;r++)-1==t.indexOf(n[r])&&t.push(n[r]);s.value=I.stringify(t),g.setItem(i,o,s)});else if(t.requestType===r.get)S(t.saveMode,t.userGuid,function(){g.getItem(t.userGuid,t.key,function(e){e&&n.source.postMessage(I.stringify({key:t.requestType,dataKey:t.key,saveObj:e}),"*")})});else if(t.requestType===r.setSession)m.set(t);else if(t.requestType===r.getSession){var e=m.get(t);n.source.postMessage(I.stringify({key:t.requestType,value:e,actionId:t.actionId}),"*")}else if(t.requestType===r.increment)g.increment(t.userGuid,t.key,t.ttl,t.lastValue,function(e){n.source.postMessage(I.stringify({key:t.requestType,value:e,actionId:t.actionId}),"*")});else if(t.requestType===r.getOrSetAndGet)g.getOrSetAndGet(t.userGuid,t.key,t.ttl,t.fallbackValue,function(e){n.source.postMessage(I.stringify({key:t.requestType,value:e,actionId:t.actionId}),"*")});else if(t.requestType===r.terminate)g.terminate&&g.terminate(),n.source.postMessage(I.stringify({key:t.requestType}),"*");else if(t.requestType===r.remove)!function(o,s,a,u){if(g.removeFromDictionary){g.setItem(o,s,u,null,null,!1);for(var e=0;e<a.length;e++)g.removeFromDictionary(o,s,a[e])}else g.getItem(o,s,function(e){var t={};e&&e.value&&(t=I.parse(e.value)||{});for(var n=!1,r=0;r<a.length;r++){var i=a[r];void 0!==t[i]&&(delete t[i],n=!0)}n&&(u.value=I.stringify(t),g.setItem(o,s,u))})}(t.userGuid,t.key,t.keysToRemove,t.saveObj);else if(t.requestType===r.initBroadcastChannel)return h();var i,o,s}window.addEventListener?window.addEventListener("message",w,!1):window.attachEvent&&window.attachEvent("onmessage",w),window.onload=function(){window.postMessage&&window.parent.postMessage("frameOrigin","*")}}()</script></body></html>
Flags: needinfo?(scottsd)
Pushed by abutkovits@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/de12da283e67 Use Principal URI instead of document URI when doing CSP frame-ancestors checks so origins which inherit the security context work correctly. r=smaug

Ahhh, I forgot to push that latest change of casting to basePrincipal, sorry about that - will fix instantly.

Flags: needinfo?(ckerschb)
Pushed by abutkovits@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/828663d4812b Use Principal URI instead of document URI when doing CSP frame-ancestors checks so origins which inherit the security context work correctly. r=smaug
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true

https://hg.mozilla.org/mozilla-central/rev/828663d4812b

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox83: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 83 Branch
Regressions: 1671255
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: