CSP block on script src (emailJS) works fine in chrome
Categories
(Core :: DOM: Security, defect)
Tracking
()
People
(Reporter: anders.johansson, Unassigned)
Details
Attachments
(1 file)
87.61 KB,
image/jpeg
|
Details |
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Steps to reproduce:
78.13.0esr (64-bit) Linux. Same on Firefox 82.0 for windows.
Go to tcckonsult.com check console. Following error:
Loading failed for the <script> with source “https://cdn.jsdelivr.net/npm/emailjs-com@2/dist/email.min.js”. tcckonsult.com:18:1
Content Security Policy: The page’s settings blocked the loading of a resource at https://cdn.jsdelivr.net/npm/emailjs-com@2/dist/email.min.js (“script-src”).
Actual results:
Script blocked while having valid sha-512 hash.
Expected results:
script should pass as it does in chromium and chrome
Hi Anders,
I was not able to visit tcckonsult.com since 'Error 1020' appeared using Firefox, and the same one appeared in other browsers such as Chrome and Opera.
Please, refer to attached screenshot '1020.jpg' and confirm if that error is the one that blocks the page, and if you're still able to see the page in other browsers.
Regards,
Jerónimo.
(In reply to Jerónimo Torti from comment #2)
Hi Anders,
I was not able to visit tcckonsult.com since 'Error 1020' appeared using Firefox, and the same one appeared in other browsers such as Chrome and Opera.
Please, refer to attached screenshot '1020.jpg' and confirm if that error is the one that blocks the page, and if you're still able to see the page in other browsers.Regards,
Jerónimo.
Hi
Fixed CF rules , should work now
Comment 6•3 years ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::DOM: Security' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.
Hi Anders,
I'm still unable to properly load tcckonsult.com page either in Firefox 92.0 (64-bit), Nightly 94.0a1 (2021-09-13) (64-bit) or in Chrome latest version. Can you provide further details in how to load it?
Also, could you answer the following questions in order to further investigate this issue?
- Does this issue happen with a new profile? Here is a link on how to create a new profile: https://support.mozilla.org/en-US/kb/profile-manager-create-remove-switch-firefox-profiles
Can you test the issue while in Safe Mode (Safe Mode disables add-ons, extensions and themes, hardware acceleration and some JavaScript stuff in order to exclude some possible reasons for problems). You can find helpful info here : https://support.mozilla.org/en-US/kb/troubleshoot-firefox-issues-using-safe-mode.
- Does this issue occur in the latest nightly version of firefox? Here is a link from where you can download it: https://www.mozilla.org/en-US/firefox/channel/desktop/
If you are still able to reproduce it, please, share further information with us, like screenshots, screen recording, or more specific steps.
I let the assigned component by bot, in order to get the dev team involved.
'Core - Dom: Security' team, if the component is not relevant please change it to a more appropriate one.
Regards,
Jerónimo.
(In reply to Jerónimo Torti from comment #7)
The block you got from cloudflare was due to country block of your country, I removed the rule so should work now.
-
yes same issue.
-
yes tested in several versions and both linux and windows
screenshot
https://ibb.co/p6TprWv
Regards
Anders
Comment 9•3 years ago
|
||
We're messing up the hash calculations somewhere
Reporter | ||
Comment 10•3 years ago
|
||
tcckonsult.com
So I tried changing the hash to 256 version. This did nothing.
Added a nonce. Using a nonce worked!
Description
•