Closed Bug 1957333 Opened 22 days ago Closed 14 days ago

HTML preview of response is affected by the netmonitor's CSP

Categories

(DevTools :: Netmonitor, defect, P2)

Product:
DevTools
Component:
Netmonitor
Version:
Firefox 137
Type:
defect

Tracking

(firefox-esr128 unaffected, firefox137 wontfix, firefox138 fixed, firefox139 fixed)

Status:
RESOLVED FIXED
Milestone:
139 Branch
Tracking Flags:
Tracking Status
firefox-esr128 --- unaffected
firefox137 --- wontfix
firefox138 --- fixed
firefox139 --- fixed

People

(Reporter: pesek.kamil, Assigned: tschuster)

References

(Regression)

Details

(Keywords: regression)

Attachments

(4 files)

error.html
16.35 KB, text/html
Details
Screenshot.png
5.59 KB, image/png
Details
Bug 1957333 - Beta: Remove CSP from Netmonitor. r?#devtools-reviewers
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-beta+
Details | Review
Bug 1957333 - Use loadURI for HTML preview to prevent inheriting the CSP. r?#devtools-reviewers!,nika!
48 bytes, text/x-phabricator-request
Details | Review
Attached file error.html

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0

Steps to reproduce:

I want to see HTML response in Developer Tools -> Network -> Select request -> Response -> HTML preview.

I believe it stopped working max month ago. It's similar problem which was there previously https://bugzilla.mozilla.org/show_bug.cgi?id=1804232

Actual results:

HTML is not shown correctly, sometimes nothing is shown (probably when there is more complex HTML or CSS), sometimes just part is shown but without any details.

Expected results:

Correct HTML preview should be shown, as previously.

Attached image Screenshot.png

Comment on attachment 9475640 [details]
error.html

This is debug message generated by PHP framework Symfony

The Bugbug bot thinks this bug should belong to the 'DevTools::Netmonitor' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → Netmonitor
Product: Firefox → DevTools

Hello Kamil, thanks for the report.
Would you be able to run https://mozilla.github.io/mozregression/ and report the results here so we know when it regressed?

Flags: needinfo?(pesek.kamil)

(looks like Bug 1957202 is similar)

See Also: → 1957202

This is caused by D238046 apparently we are rendering the response using an iframe with a data: URL inside the web console. netmonitor/index.html now has a CSP that blocks most styles/images etc.

We really should not be rendering this untrusted HTML directly inside the devtools. I think for similar cases inside the browser (like the sidebar) we would usually use a <browser> element.

Regressions: 1943360

To make uplifts easier we probably need to remove the CSP in 137/138.

Status: UNCONFIRMED → NEW
Ever confirmed: true
Duplicate of this bug: 1957202
See Also: 1957202
Keywords: regression
Regressed by: 1943360
No longer regressions: 1943360
Summary: Html preview of response → HTML preview of response is affected by the netmonitor's CSP
Flags: needinfo?(pesek.kamil)
Assignee: nobody → tschuster
status-firefox139: --- → affected

This partially reverts D238046.

Attachment #9475978 - Flags: approval-mozilla-beta?
See Also: → 1957585
Attachment #9475991 - Attachment description: WIP: Bug 1957333 - Use loadURI for HTML preview to prevent inheriting the CSP → Bug 1957333 - Use loadURI for HTML preview to prevent inheriting the CSP. r?#devtools-reviewers!,nika!

Set release status flags based on info from the regressing bug 1943360

status-firefox-esr128: --- → unaffected

Tom, do you think we should move the second patch to another bug so that we can close this one once the regression is fixed and uplifted?

Severity: -- → S3
Flags: needinfo?(tschuster)
Priority: -- → P2

(In reply to Julian Descottes [:jdescottes] from comment #13)

Tom, do you think we should move the second patch to another bug so that we can close this one once the regression is fixed and uplifted?

I actually think it's easier to track everything in one bug. We have release specific tracking flags, and the Beta (and maybe Release) patch is basically just a backout.

Flags: needinfo?(tschuster)

Comment on attachment 9475978 [details]
Bug 1957333 - Beta: Remove CSP from Netmonitor. r?#devtools-reviewers

Beta/Release Uplift Approval Request

  • User impact if declined/Reason for urgency: The HTML preview in the Devtools Network Monitor doesn't use CSS stylesheets, images etc. So this only matters to web developers.
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This is essentially just a backout.
  • String changes made/needed:
  • Is Android affected?: No

In D243788 I am adding a test that covers this problem.

Attachment #9475991 - Attachment description: Bug 1957333 - Use loadURI for HTML preview to prevent inheriting the CSP. r?#devtools-reviewers!,nika! → Bug 1957333 - Switch the HTML preview to using a <browser> to prevent inheriting the CSP. r?#devtools-reviewers!,nika!
Attachment #9475991 - Attachment description: Bug 1957333 - Switch the HTML preview to using a <browser> to prevent inheriting the CSP. r?#devtools-reviewers!,nika! → Bug 1957333 - Use loadURI for HTML preview to prevent inheriting the CSP. r?#devtools-reviewers!,nika!
Attachment #9475978 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Approved for 138.0b5 (fixed by backout). This reverts part of bug 1943360 but remains in 139 which should be fixed by D243788.

Tom , whats the eta in landing that patch for 139?

Flags: needinfo?(tschuster)
Pushed by tschuster@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/340abfffec9d Use loadURI for HTML preview to prevent inheriting the CSP. r=nika,ochameau

Tom , whats the eta in landing that patch for 139?

Just landed now.

Flags: needinfo?(tschuster)

https://hg.mozilla.org/mozilla-central/rev/340abfffec9d

Status: NEW → RESOLVED
Closed: 14 days ago
status-firefox139: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 139 Branch
Duplicate of this bug: 1958776
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: