Missing Comment Fields on ufp.teamviewer.com (TinyMCE blocked by CSP that relies on script-src-elem)
Categories
(Web Compatibility :: Site Reports, defect)
Tracking
(firefox96 affected)
Tracking | Status | |
---|---|---|
firefox96 | --- | affected |
People
(Reporter: gcp, Unassigned)
References
Details
STR:
- Load https://ufp.teamviewer.com/cb/participate/1d3d69fe-4079-11ec-94e6-005056bbe188
- Fill in random stuff on the first page
- Click Next
- See next page appear with empty comment boxes
Works in Chrome. I suspect CSP is blocking the tinymce script (a WYSIWYG editor):
Loading failed for the <script> with source “https://cdn.tiny.cloud/1/pb9whpw3mt0slxvxuu8ywm97p0ryws45gmpjfi47c8y5a688/tinymce/5/tinymce.min.js”. 1d3d69fe-4079-11ec-94e6-005056bbe188:1:1
Content Security Policy: The page’s settings blocked the loading of a resource at https://cdn.tiny.cloud/1/pb9whpw3mt0slxvxuu8ywm97p0ryws45gmpjfi47c8y5a688/tinymce/5/tinymce.min.js (“default-src”).
Comment 1•3 years ago
|
||
The severity field is not set for this bug.
:dveditz, could you have a look please?
For more information, please visit auto_nag documentation.
Comment 2•3 years ago
|
||
The site's CSP header is:
default-src 'self' 'unsafe-inline' 'unsafe-eval' https://maxcdn.bootstrapcdn.com; script-src-elem 'self' 'unsafe-inline' https://cdn.tiny.cloud; connect-src 'self' https://ufp-backend.teamviewer.com; style-src-elem 'self' 'unsafe-inline' https://cdn.tiny.cloud; img-src 'self' https://sp.tinymce.com data:
The failing script is loaded from cdn.tiny.cloud. There is no script-src
directive so Firefox falls back to default-src
, and cdn.tiny.cloud is not found in either. There is a srcipt-src-elem
directive and the host does appear in that one, but Firefox does not support this CSP Level 3 directive. At the moment neither does Safari, although caniuse says it's in their Technical Preview https://caniuse.com/?search=script-src-elem
see bug 1529337
I don't really understand why they didn't just use normal script-src. Presumably because they wanted script-src-attrib to fall back to something different, but either way attributes fall back to a wide open 'unsafe-inline'
policy, and event-handler attributes don't know what to do with hosts. The site would be made compatible by changing script-src-elem
to script-src
and it would be no less secure (to be clear, that's not very secure at all with 'unsafe-inline' in there).
Comment 3•3 years ago
•
|
||
We appreciate your report. I was not able to reproduce the issue due to the fact that following the link provided, the page returns a "Survey not available" message on all browsers when pressing the "Start survey" button.
Reporter, could you please provide a link where we can try and reproduce de issue?
Tested with:
Browser / Version: Firefox Nightly 98.0a1 (2022-01-11) (64-bit)/Chrome Version 97.0.4692.71 (Official Build) (64-bit)
Operating System: Windows 10 PRO x64
Updated•3 years ago
|
Reporter | ||
Updated•3 years ago
|
Comment 5•3 years ago
•
|
||
Without a valid link that reproduces the issue, I am afraid I am not able to move forward with this issue, as clicking on the "Start Survey" button returns an error message. If there is a way to trigger a valid survey, or you have one, please let us know.
Notes:
Since we are trying to triage some Bugzilla issues, I know it may be uncomfortable to assign this bug to you, but as a temporary measure, to keep this issue reappearing in our triage list, for the moment we have to assign it to the reporter. This will be addressed as soon as we can figure a clear and concise method on who we should assign bugs that are pending info from other users. Thank you.
Reporter | ||
Updated•3 years ago
|
Updated•3 years ago
|
Comment 6•2 years ago
•
|
||
I was not able to reproduce the issue. With a random survey, I was able to proceed to the next page, which loads with no issues encountered:
https://prnt.sc/iwXKU9GiuX_j
https://prnt.sc/Ilr0e5xaJIJL
Tested with:
Browser / Version: Firefox Release 101.0. (64-bit)/ Firefox Nightly 103.0a1 (2022-06-16) (64-bit)
Operating System: Windows 10 PRO x64
Reporter, is the issue still reproducible on your side? If so try clearing cache/data/cookies, disabling add-ons and Ad-blocker (if available) and extensions or use a clean profile, and check again? If there are any changes made to the default settings of the browser (e.g. in about:config
) please revert to the default settings and try again. Also, have the required cookies been accepted for this page?
Updated•2 years ago
|
Reporter | ||
Comment 7•2 years ago
|
||
Wouldn't know how to get a survey in TeamViewer but if you verified it works now that sounds good enough for me.
Description
•