Closed Bug 1805948 Opened 2 years ago Closed 2 years ago

astrobiology.nasa.gov not loading on FF 108

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Version:
Firefox 108
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
110 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox108 --- wontfix
firefox109 --- fixed
firefox110 --- fixed

People

(Reporter: diannaS, Assigned: tschuster)

References

(Regression)

Details

(Keywords: regression)

Attachments

(2 files)

actual108Mac.png
126.43 KB, image/png
Details
Expected108Mac.png
891.13 KB, image/png
Details
Attached image actual108Mac.png

Filing this bug from reddit reports:
https://www.reddit.com/r/firefox/comments/zml8jl/astrobiologynasagov_not_loading_on_ff_but_does_on/

"Tried this in 2 different Windows computers, one on Win 10 w/ FF 108.0 stable and another on Win 11 and FF 109 beta, with all extensions disabled. I only get the headers, but the content is blank and on the same PCs Edge and Chrome are fine. Anyone can tell what's going on? https://astrobiology.nasa.gov/"

I was able to recreate this on a MacOS 12.2.1
I ran mozregression and narrowed it down to bug 1797070

STR:
-Simply load https://astrobiology.nasa.gov/ and notice only the headers appear and no image

Attached image Expected108Mac.png

Expected results from previous builds

status-firefox-esr102: --- → unaffected
Flags: needinfo?(evilpies)
Keywords: regression

The problem is not exactly adding preffed-off support for 'unsafe-hashes' in bug 1797070, but that the patch included the fix for bug 1644790 (CVE-2022-46873): pages got 'unsafe-hashes' behavior even when they didn't ask for it.

Regressed by: CVE-2022-46873

If you set the pref security.csp.unsafe-hashes.enabled to true the site works.

Depends on: csp-unsafe-hashes

Everything Daniel said is correct. We should probably just ship 'unsafe-hashes'. I am going to attach a patch to bug 1343950.

Flags: needinfo?(evilpies)

Interestingly enough even with 'unsafe-hashes' the page still seems to have some inline style defined via JS that is blocked. However I see something similar in Chrome as well.

Content Security Policy: The page’s settings blocked the loading of a resource at inline (“style-src”). widgets.f26384f93da6.js:1:29228

status-firefox110: affectedfixed

Fixed in bug 1343950 by enabling security.csp.unsafe-hashes.enabled and verified on 110.0a1 on MacOS 12.2.1

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
See Also: → 1806845

Setting 108 to wontfix since there is a workaround

status-firefox108: affectedwontfix

Bug 1343950 has been uplifted to Beta for 109.0b8 also now.

Assignee: nobody → tschuster
status-firefox109: affectedfixed
Target Milestone: --- → 110 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: