Closed Bug 1742631 Opened 3 years ago Closed 2 years ago

Missing Comment Fields on ufp.teamviewer.com (TinyMCE blocked by CSP that relies on script-src-elem)

Categories

(Web Compatibility :: Site Reports, defect)

x86_64
All
defect

Tracking

(firefox96 affected)

RESOLVED WORKSFORME
Tracking Status
firefox96 --- affected

People

(Reporter: gcp, Unassigned)

References

Details

STR:

  1. Load https://ufp.teamviewer.com/cb/participate/1d3d69fe-4079-11ec-94e6-005056bbe188
  2. Fill in random stuff on the first page
  3. Click Next
  4. See next page appear with empty comment boxes

Works in Chrome. I suspect CSP is blocking the tinymce script (a WYSIWYG editor):

Loading failed for the <script> with source “https://cdn.tiny.cloud/1/pb9whpw3mt0slxvxuu8ywm97p0ryws45gmpjfi47c8y5a688/tinymce/5/tinymce.min.js”. 1d3d69fe-4079-11ec-94e6-005056bbe188:1:1
Content Security Policy: The page’s settings blocked the loading of a resource at https://cdn.tiny.cloud/1/pb9whpw3mt0slxvxuu8ywm97p0ryws45gmpjfi47c8y5a688/tinymce/5/tinymce.min.js (“default-src”).

The severity field is not set for this bug.
:dveditz, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(dveditz)

The site's CSP header is:
default-src 'self' 'unsafe-inline' 'unsafe-eval' https://maxcdn.bootstrapcdn.com; script-src-elem 'self' 'unsafe-inline' https://cdn.tiny.cloud; connect-src 'self' https://ufp-backend.teamviewer.com; style-src-elem 'self' 'unsafe-inline' https://cdn.tiny.cloud; img-src 'self' https://sp.tinymce.com data:

The failing script is loaded from cdn.tiny.cloud. There is no script-src directive so Firefox falls back to default-src, and cdn.tiny.cloud is not found in either. There is a srcipt-src-elem directive and the host does appear in that one, but Firefox does not support this CSP Level 3 directive. At the moment neither does Safari, although caniuse says it's in their Technical Preview https://caniuse.com/?search=script-src-elem

see bug 1529337

I don't really understand why they didn't just use normal script-src. Presumably because they wanted script-src-attrib to fall back to something different, but either way attributes fall back to a wide open 'unsafe-inline' policy, and event-handler attributes don't know what to do with hosts. The site would be made compatible by changing script-src-elem to script-src and it would be no less secure (to be clear, that's not very secure at all with 'unsafe-inline' in there).

Component: Security → Desktop
Depends on: 1529337
Flags: needinfo?(dveditz)
Product: Core → Web Compatibility
Summary: Missing Comment Fields (TinyMCE blocked by CSP?) → Missing Comment Fields on ufp.teamviewer.com (TinyMCE blocked by CSP that relies on script-src-elem)

We appreciate your report. I was not able to reproduce the issue due to the fact that following the link provided, the page returns a "Survey not available" message on all browsers when pressing the "Start survey" button.

Reporter, could you please provide a link where we can try and reproduce de issue?

Tested with:

Browser / Version: Firefox Nightly 98.0a1 (2022-01-11) (64-bit)/Chrome Version 97.0.4692.71 (Official Build) (64-bit)
Operating System: Windows 10 PRO x64

Flags: needinfo?(gpascutto)
Assignee: nobody → gpascutto
Status: NEW → ASSIGNED

This isn't my site, so no.

Flags: needinfo?(gpascutto)
Assignee: gpascutto → nobody
Status: ASSIGNED → NEW

Without a valid link that reproduces the issue, I am afraid I am not able to move forward with this issue, as clicking on the "Start Survey" button returns an error message. If there is a way to trigger a valid survey, or you have one, please let us know.

Notes:

Since we are trying to triage some Bugzilla issues, I know it may be uncomfortable to assign this bug to you, but as a temporary measure, to keep this issue reappearing in our triage list, for the moment we have to assign it to the reporter. This will be addressed as soon as we can figure a clear and concise method on who we should assign bugs that are pending info from other users. Thank you.

Assignee: nobody → gpascutto
Status: NEW → ASSIGNED
Flags: needinfo?(gpascutto)
Flags: needinfo?(gpascutto)
Assignee: gpascutto → nobody
Status: ASSIGNED → NEW

I was not able to reproduce the issue. With a random survey, I was able to proceed to the next page, which loads with no issues encountered:

https://prnt.sc/iwXKU9GiuX_j
https://prnt.sc/Ilr0e5xaJIJL

Tested with:

Browser / Version: Firefox Release 101.0. (64-bit)/ Firefox Nightly 103.0a1 (2022-06-16) (64-bit)
Operating System: Windows 10 PRO x64

Reporter, is the issue still reproducible on your side? If so try clearing cache/data/cookies, disabling add-ons and Ad-blocker (if available) and extensions or use a clean profile, and check again? If there are any changes made to the default settings of the browser (e.g. in about:config) please revert to the default settings and try again. Also, have the required cookies been accepted for this page?

Flags: needinfo?(gpascutto)

Wouldn't know how to get a survey in TeamViewer but if you verified it works now that sounds good enough for me.

Status: NEW → RESOLVED
Closed: 2 years ago
Flags: needinfo?(gpascutto)
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.