1898907 - CSP hash source incorrectly rendered in developer tools (also affects Copy Value)

Status: UNCONFIRMED

(DevTools :: Console, defect)

Description

[Yesudeep Mangalapilly]

Attachment: firefox-nightly-csp-copy-value-rendering-bug.png

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0

Steps to reproduce:

I was testing a Content-Security-Policy header value using https://csp-evaluator.withgoogle.com/, and copied the CSP value from Firefox's Developer Tools in order to do that. However, I noticed that one of the hash sources for a strict CSP doesn't render nor copy correctly when I click "Copy Value" for the Content-Security-Policy header.

Actual results:

The following is what gets copied:

child-src 'none'; connect-src 'self' https:; default-src 'none'; font-src https:; frame-src 'none'; img-src https:; manifest-src 'self'; media-src 'none'; object-src 'none'; script-src 'sha256-6QPOwdWeAVe8x-SsiDrm-Ga6u2DkqgG5SFqglrlyIgA=' 'sha256-AzdpkAtxtnhH46l_sKb57RBGbBAJrWLwghkEKajku_o=' 'sha256-D-SXAxymyg4P237-vnHfCw5Kh0MnGcSInc4NH3-48t4=' 'sha256-O2U-EPbisq4vvwVv1CWHWhwEsrHHtYRV_EzWcpGomHA=' 'sha256-PDlpJB1X8XVX0Ut1mNZ1Mu0W71UZW0Q1MJscwRcn4uc=' 'sha256-T_PWLkiEX_IYJwJ_wgxg4Ce7UtbwFJbSxB0OYcbBrF0=' 'sh…gA3umEaH0X_w=' 'sha256-azEog7ovHdDohBgrLqZ_uYwd_nLcpM6J7gcQtYt0Luc=' 'sha256-pHUhulys1a0GOaGHItSYnlLM62BVKL1Wj2uyvq2Jp7g=' 'sha256-wvjoxg31YTDV8gNxpZOISYIuu_8f9CO59ZXHxJw0NEI=' 'strict-dynamic'; script-src-attr 'none'; style-src 'sha256-ZnRFJy7msnKZwRXI26Tn8Yim3GhSquxVyFu_XDFpe24=' 'sha256-vfnAN3rFG0A_h1D6OdCVi2rl6u_wXmMiE_CdfDbNk4U=' https:; style-src-attr 'none'; worker-src 'none'; base-uri 'none'; form-action 'none'; frame-ancestors 'none'; require-trusted-types-for 'script'; upgrade-insecure-requests;

Notice the 'sh…gA3umEaH0X_w=' hash source, which should be 'sha256-_v8oCErGlA-GDQJtUTBbsOrCGHPdPNYgA3umEaH0X_w=' as can be seen from the expected results below that I've obtained from the latest release build for Google Chrome.

When I toggle the "Raw" radio button, however, I do see the proper value set, so I'm guessing this is perhaps an issue with the displayed/copied value?

Expected results:

Google Chrome (125.0.6422.77) shows the following correctly:

child-src 'none'; connect-src 'self' https:; default-src 'none'; font-src https:; frame-src 'none'; img-src https:; manifest-src 'self'; media-src 'none'; object-src 'none'; script-src 'sha256-6QPOwdWeAVe8x-SsiDrm-Ga6u2DkqgG5SFqglrlyIgA=' 'sha256-AzdpkAtxtnhH46l_sKb57RBGbBAJrWLwghkEKajku_o=' 'sha256-D-SXAxymyg4P237-vnHfCw5Kh0MnGcSInc4NH3-48t4=' 'sha256-O2U-EPbisq4vvwVv1CWHWhwEsrHHtYRV_EzWcpGomHA=' 'sha256-PDlpJB1X8XVX0Ut1mNZ1Mu0W71UZW0Q1MJscwRcn4uc=' 'sha256-T_PWLkiEX_IYJwJ_wgxg4Ce7UtbwFJbSxB0OYcbBrF0=' 'sha256-Ya-p2yp5RcvkX1SlONWgqrIx6iyBZW-y7ZvI2TiR3Eg=' 'sha256-YtHFYfmpvHZqpWPlu4XLrY43EVYhhzye_66DV4alxmE=' 'sha256-ZfmRk2NGeXAZIlHgWfZt24KmT2tFvaeekyUxfCwgSes=' 'sha256-_v8oCErGlA-GDQJtUTBbsOrCGHPdPNYgA3umEaH0X_w=' 'sha256-azEog7ovHdDohBgrLqZ_uYwd_nLcpM6J7gcQtYt0Luc=' 'sha256-pHUhulys1a0GOaGHItSYnlLM62BVKL1Wj2uyvq2Jp7g=' 'sha256-wvjoxg31YTDV8gNxpZOISYIuu_8f9CO59ZXHxJw0NEI=' 'strict-dynamic'; script-src-attr 'none'; style-src 'sha256-ZnRFJy7msnKZwRXI26Tn8Yim3GhSquxVyFu_XDFpe24=' 'sha256-vfnAN3rFG0A_h1D6OdCVi2rl6u_wXmMiE_CdfDbNk4U=' https:; style-src-attr 'none'; worker-src 'none'; base-uri 'none'; form-action 'none'; frame-ancestors 'none'; require-trusted-types-for 'script'; upgrade-insecure-requests;

Comment 1

[BugBot [:suhaib / :marco/ :calixte]]

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Security' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.