Closed Bug 1981945 Opened 13 days ago Closed 10 days ago

commented out objects still trigger CSP warning in console

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Version:
Firefox 142
Type:
defect

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: billc, Unassigned)

Details

Steps to reproduce:

In web developers tools, when examining a page that has commented out objects, Firefox will treat them as errors for Content Security Policy headers that would not allow them.

Actual results:

Content-Security-Policy: The page’s settings blocked an inline script (script-src-elem) from being executed because it violates the following directive: “script-src 'self'”. Consider using a hash ('sha256-ZswfTY7H35rbv8WC7NXBoiC7WNu86vSzCDChNWwZZDM=') or a nonce. utils.js:42:10

The code on the page is:
<!--script async src="https://FOO.com/upload.js" data-palette="black" data-auto-insert="html-embed-medium"></script-->
<!--script type="text/javascript" src="//mod.FOO.org/blah.js" charset="utf-8"></script-->

with CSP headers emitted by the webserver:
Content-Security-Policy " default-src 'self' 'unsafe-inline'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self'; font-src 'self'; connect-src 'self'; frame-src 'self'; object-src 'none'; media-src 'self'; child-src 'self'; worker-src 'self'; manifest-src 'self'; base-uri 'self'; form-action 'self'; frame-ancestors 'self'; upgrade-insecure-requests; block-all-mixed-content;"

Expected results:

Since the objects are commented out, they should not trigger anything because they are supposed to be treated as comments. Chrome does not exhibit this behavior, and is silent on the commented out objects and doesn't parse them.

Granted, it's a corner-case...

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Security' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → DOM: Security
Product: Firefox → Core

Neither of the two commented-out scripts would trigger the "inline script" error. The error messages would explicitly mention the upload.js and blah.js URLs. Can you construct a small HTML test case and attach it to this bug, or give us the URL of a public site that demonstrates the problem?

Flags: needinfo?(billc)

That was a good clue. Turns out Privacy Badger was firing this error off (I had it enabled on Private windows).

This can be closed, and I shall hang my head in shame. lol.

Status: UNCONFIRMED → RESOLVED
Closed: 10 days ago
Flags: needinfo?(billc)
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.