Closed Bug 1801062 Opened 3 years ago Closed 3 years ago

cascading menu in HTML does not shown properly

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Version:
Firefox 91
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1764261

People

(Reporter: inoue.takashi, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:91.0) Gecko/20100101 Firefox/91.0

Steps to reproduce:

Open https://cccbdb.nist.gov/

Actual results:

A cascading menu at top of page does not shown properly.

Expected results:

A cascading menu should be shown at top of page as in other browsers.

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Core & HTML' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → DOM: Core & HTML
Product: Firefox → Core

The CSS is getting blocked:

Content Security Policy: Couldn’t parse invalid host self

In fact the csp has content-security-policy: default-src ‘self’, which other browsers manage to parse apparently? Tom, you've looked at CSP stuff lately, do you know what the spec says here? Maybe other browsers are just ignoring those two unpaired surrogates? Or maybe other browsers fail to parse the CSP header and don't restrict stuff at all?

Component: DOM: Core & HTML → DOM: Security
Flags: needinfo?(tschuster)

I believe this is a duplicate, but I didn't manage to find the other bug.

I remember the distinction is that what browsers do with the parse error:

  • disregard only this host/keyword and end up with an empty list of hosts? That would disallow all?
  • disregard and drop the whole default-src directive? What would we do with a CSP that has zero directives?
  • disregard and drop the whole policy given the lack of directives?

On the one hand, unbreaking websites is nice. On the other hand, disabling the CSP is annoying.
So far, we've decided to stick with the strict CSP handling, but if this keeps making sites unusable we should revisit.

Tom, what's your opinion?

Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Duplicate of bug: 1764261
Flags: needinfo?(tschuster)
Resolution: --- → DUPLICATE

Reaching out to the site helped too. https://cccbdb.nist.gov/ should work again, they fixed their site. :)

We have the same problem on the site again.
I think Firefox should be fixed, since other browser has no problem.

This was fixed in bug 1570722

You need to log in before you can comment on or make changes to this bug.