Closed Bug 1698115 Opened 4 years ago Closed 3 years ago

favicon.ico is blocked by Content Security Policy in JSON Viewer

Categories

(DevTools :: JSON Viewer, defect, P3)

Product:
DevTools
Component:
JSON Viewer
Version:
Firefox 86
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1696667

People

(Reporter: alkedr, Unassigned)

References

Details

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:86.0) Gecko/20100101 Firefox/86.0

Steps to reproduce:

Opened an URL with Content-Type: application/json on a site that has /favicon.ico.

echo '{}' > test.json
curl -L 'https://mozilla.org/favicon.ico' > favicon.ico
python -m SimpleHTTPServer 8080

Actual results:

JSON Viewer tab doesn't have a favicon.

There is an error in console:
Content Security Policy: The page’s settings blocked the loading of a resource at http://my.host/favicon.ico (“default-src”).

Expected results:

JSON Viewer tab should use http://my.host/favicon.ico.

I tried adding Content-Security-Policy: img-src 'self' header to the URL with JSON that I was opening but it didn't help.

It seems that Content-Security-Policy from headers is overridden by JSON Viewer here:
https://searchfox.org/mozilla-central/source/devtools/client/jsonview/converter-child.js#32
https://searchfox.org/mozilla-central/source/devtools/client/jsonview/converter-child.js#100

Would it help to add img-src 'self' or something else that whitelists favicon.ico to kCSP variable?

Thank you for the report!

I can reproduce the issue on my machine (Win10, Firefox Nightly)

Honza

Severity: -- → S3
Status: UNCONFIRMED → NEW
Has STR: --- → yes
Ever confirmed: true
Priority: -- → P3

Closing in favor of bug 1696667 which has easier STR

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.