Last Comment Bug 493857 - (CSP) Implement Content Security Policy
(CSP)
: Implement Content Security Policy
Status: ASSIGNED
: doc-bug-filed
Product: Core
Classification: Components
Component: Security (show other bugs)
: Trunk
: All All
: P1 enhancement with 27 votes (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
: Mihai Morar, (:MihaiMorar)
: David Keeler [:keeler] (use needinfo?)
Mentors:
http://www.w3.org/TR/CSP/
: 361915 390910 463948 (view as bug list)
Depends on: 615708 csp-w3c-1.0 866522 878608 918724 957980 csp-w3c-2 1012592 1014545 1021970 1033675 1037335 1045893 1052887 1100630 1134084 1192684 1199977 csp-w3c-3 CVE-2010-0182 515433 515437 515442 515443 515458 515460 529697 544061 548193 548949 548984 550442 552523 556625 558429 558431 560574 561051 570017 570505 576200 578075 587377 594446 600584 602063 604177 605900 606039 607067 607069 608131 609748 612391 615711 617195 631040 634773 634778 638320 639533 650386 663567 663570 671389 672961 673645 687086 702176 722547 737064 741019 746978 766536 766569 779918 784315 788337 792161 792214 792542 801783 802872 802905 805929 808292 809982 809983 826805 832398 832558 836922 837682 841402 842657 843311 846978 847067 847081 855326 858780 858787 858789 864675 883975 886164 903080 CVE-2016-2833 909029 CVE-2014-1504 csp-report-uri-tests 915824 916054 918397 919209 925004 925186 929653 933413 935690 938652 942345 csp-legacy-removal CVE-2015-0809 951457 963668 964276 965273 965727 984808 991468 991474 991972 993477 994782 994872 1000945 1005225 1011841 1021669 1026520 1027833 1027868 1028490 1030936 1031658 1032303 1033423 1034156 1037768 1048048 1057376 1063021 CVE-2015-4490 1089255 1089746 1106775 1112782 1265316
Blocks: clickjacking 485488 html5test 1024557 xss 569993 898190 1011098 1089912
  Show dependency treegraph
 
Reported: 2009-05-19 15:57 PDT by Brandon Sterne (:bsterne)
Modified: 2016-06-15 06:06 PDT (History)
65 users (show)
benjamin: blocking1.9.2-
benjamin: wanted1.9.2-
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
CSP data structures & policy methods (18.61 KB, text/plain)
2009-05-19 16:54 PDT, Sid Stamm [:geekboy or :sstamm]
no flags Details
unit tests for the CSPUtils.jsm objects (15.42 KB, application/x-javascript)
2009-05-19 16:58 PDT, Sid Stamm [:geekboy or :sstamm]
no flags Details
CSP work in progress (20.72 KB, patch)
2009-06-07 10:04 PDT, Brandon Sterne (:bsterne)
no flags Details | Diff | Splinter Review
CSP Work in Progress (v2) (72.34 KB, patch)
2009-06-12 11:41 PDT, Sid Stamm [:geekboy or :sstamm]
no flags Details | Diff | Splinter Review
CSP Work in Progress (v3) (80.19 KB, patch)
2009-06-18 16:42 PDT, Sid Stamm [:geekboy or :sstamm]
no flags Details | Diff | Splinter Review
Incremental upgrade from v3 (81.58 KB, patch)
2009-07-06 16:57 PDT, Sid Stamm [:geekboy or :sstamm]
no flags Details | Diff | Splinter Review
no event listeners for event-handling attributes (1.08 KB, patch)
2009-07-08 09:54 PDT, Brandon Sterne (:bsterne)
no flags Details | Diff | Splinter Review
CSP Work in Progress (v3.6) (82.96 KB, patch)
2009-07-08 17:07 PDT, Sid Stamm [:geekboy or :sstamm]
no flags Details | Diff | Splinter Review
CSP Work in Progress (v4) (91.02 KB, patch)
2009-07-15 17:42 PDT, Sid Stamm [:geekboy or :sstamm]
no flags Details | Diff | Splinter Review
CSP Work in Progress (v4.1) (94.75 KB, patch)
2009-07-21 16:54 PDT, Sid Stamm [:geekboy or :sstamm]
no flags Details | Diff | Splinter Review
CSP Work in Progress (v5) (99.27 KB, patch)
2009-07-23 17:11 PDT, Sid Stamm [:geekboy or :sstamm]
no flags Details | Diff | Splinter Review
CSP Work in Progress (v5.1) (25.91 KB, patch)
2009-08-13 16:31 PDT, Sid Stamm [:geekboy or :sstamm]
no flags Details | Diff | Splinter Review
CSP Work in Progress (v5.1 - repaired) (101.78 KB, patch)
2009-08-13 16:36 PDT, Sid Stamm [:geekboy or :sstamm]
no flags Details | Diff | Splinter Review
CSP Work in Progress (v5.2) (103.81 KB, patch)
2009-08-14 16:15 PDT, Sid Stamm [:geekboy or :sstamm]
no flags Details | Diff | Splinter Review
Redirect handling PoC - applies to v5.2 (34.39 KB, patch)
2009-08-19 17:15 PDT, Brandon Sterne (:bsterne)
no flags Details | Diff | Splinter Review
CSP Work in Progress (v5.3) (112.46 KB, patch)
2009-08-21 17:30 PDT, Sid Stamm [:geekboy or :sstamm]
no flags Details | Diff | Splinter Review

Description Brandon Sterne (:bsterne) 2009-05-19 15:57:19 PDT
Implement the specification for Content Security Policy to mitigate code injection attacks.

Background information:
https://wiki.mozilla.org/Security/CSP
http://people.mozilla.org/~bsterne/content-security-policy/
Comment 1 Alex Vincent [:WeirdAl] 2009-05-19 16:23:00 PDT
Umm... this part really worries me:
https://wiki.mozilla.org/Security/CSP/Spec#No_inline_JavaScript_will_execute

Specifically, breaking the onclick event listener and the <a
href="javascript:foo()"></a> functionality.  The onclick attribute is part of
the HTML 4.01 specification, and onclick has worked forever (DOM Level 0).

Also, your specification states: "The contents of internal <script> nodes" will
be restricted.  What's an internal script node (as opposed to an external one)?

Finally, under "Activation and Enforcement", I wonder what would happen were a
malicious script to do its dirty work, and then forcibly insert the meta tag.
(I'm not saying this is a problem - I'm just curious.)
Comment 2 Sid Stamm [:geekboy or :sstamm] 2009-05-19 16:54:52 PDT
Created attachment 378464 [details]
CSP data structures & policy methods

First rough impl. of the CSP data structures.  Eventually will turn into a Javascript module, thus the .jsm extension.  Does not fetch external policies yet.
Comment 3 Sid Stamm [:geekboy or :sstamm] 2009-05-19 16:58:36 PDT
Created attachment 378466 [details]
unit tests for the CSPUtils.jsm objects

Here are some unit tests for the CSPUtils.jsm data structures and methods.  They were kind of hacked out quickly and we could surely use more cases to test.  These are meant to be stand-alone tests, and don't rely on any other source code except the CSPUtils.

To run them, install some JS shell or interpreter of some sort (I used rhino) and load this TestCSPUtils.js file in the interpreter.  Make sure the other (CSPUtils.jsm) file is in the same directory since it's referenced from the TestCSPUtils.js file.
Comment 4 Brandon Sterne (:bsterne) 2009-05-19 17:10:21 PDT
(In reply to comment #1)
> Specifically, breaking the onclick event listener and the <a
> href="javascript:foo()"></a> functionality.  The onclick attribute is part of
> the HTML 4.01 specification, and onclick has worked forever (DOM Level 0).

It is, however, an opt-in mechanism.  We aren't breaking DOM across the board, only for sites that choose to use CSP.  You have highlighted, though, the biggest challenge for sites wanting to adopt CSP.  We plan to provide documentation and possibly tools to sites to help ease their transition.

> Also, your specification states: "The contents of internal <script> nodes" will
> be restricted.  What's an internal script node (as opposed to an external one)?

An internal <script> node is one in the top-level protected document.  An external <script> node is one in an externally-linked JavaScript file.

> Finally, under "Activation and Enforcement", I wonder what would happen were a
> malicious script to do its dirty work, and then forcibly insert the meta tag.
> (I'm not saying this is a problem - I'm just curious.)

Since the policy can only place additional "restrictions" on a page, we feel the risk of injected policy is very low.  For instance, and injected policy could prevent a resource's images or script files from loading, but couldn't de-escalate the security policy for a resource below the defaults (same-origin, etc.).
Comment 5 Daniel Veditz [:dveditz] 2009-05-21 23:14:32 PDT
(In reply to comment #1)
> Specifically, breaking the onclick event listener and the <a
> href="javascript:foo()"></a> functionality.  The onclick attribute is part of
> the HTML 4.01 specification, and onclick has worked forever (DOM Level 0).

The highest priority goal of CSP is to help sites eliminate XSS, a problem which has been found to affect something like 80-90% of even the best-run sites. Funny you should mentions the onclick attribute as that one specifically is a popular one to abuse. Whether the burden of rewriting your site to the supported safe subset of HTML is worth it depends on how valuable the contents of your site are.

Note that we are not eliminating event handlers, just the ability to specify them inline. AddEventListener() will still work, as will setting the .click property of a DOM node. This is a little cumbersome, but there are already sites that do this for some of their content.

CSP is a gamble, it could be that the hurdle will turn out to be too high. But if we can get authors over that hurdle we can promise them a safer site.
Comment 6 Nochum Sossonko [:Natch] 2009-05-31 17:03:19 PDT
*** Bug 463948 has been marked as a duplicate of this bug. ***
Comment 7 Brandon Sterne (:bsterne) 2009-06-07 10:04:36 PDT
Created attachment 382041 [details] [diff] [review]
CSP work in progress

Adds CSP object as part of nsDocument with stub for RefinePolicy.  Adds nsIContentPolicy which locates the CSP object on the document when ShouldLoad is called.
Comment 8 Sid Stamm [:geekboy or :sstamm] 2009-06-12 11:41:16 PDT
Created attachment 382990 [details] [diff] [review]
CSP Work in Progress (v2)

CSP work in progress (updated)

Ties CSP policy data structure objects and enforcement hooks all together.  With this patch, policies are loaded from the HTTP response header and parsed, then enforced.

This patch also supports policy-uri (though synchronously, and probably with a bit of UI lag).
Comment 9 Sid Stamm [:geekboy or :sstamm] 2009-06-18 16:42:54 PDT
Created attachment 384026 [details] [diff] [review]
CSP Work in Progress (v3)

This patch is an upgrade from the v2 patch and includes a rough implementation of Policy Violation reporting (via asynchronous XHR POST) and frame-ancestor checking.
Comment 10 Sid Stamm [:geekboy or :sstamm] 2009-07-06 16:57:56 PDT
Created attachment 387098 [details] [diff] [review]
Incremental upgrade from v3

This patch includes:
- parsing the "inline" and "eval" keywords in the script-src directive
- suppresses cookies from requests sent for policy URI fetch and violation report sending
- converted hand-rolled unit tests to xpcshell tests (make -C caps/test xpcshell-tests)
Comment 11 Brandon Sterne (:bsterne) 2009-07-08 09:54:46 PDT
Created attachment 387470 [details] [diff] [review]
no event listeners for event-handling attributes

Spoke with sicking and jst.  Returning early from nsEventListenerManager::AddScriptEventListener prevents event listeners from being added due to on<event> attributes.  I posted a test for this behavior here:
http://hackmill.com/csp/tests/event-handling-attrs.php
Comment 12 Sid Stamm [:geekboy or :sstamm] 2009-07-08 17:07:37 PDT
Created attachment 387569 [details] [diff] [review]
CSP Work in Progress (v3.6)

Updated patch to fix some URI scheme parsing issues.
Comment 13 Sid Stamm [:geekboy or :sstamm] 2009-07-15 17:42:30 PDT
Created attachment 388837 [details] [diff] [review]
CSP Work in Progress (v4)

Adds "security.csp.enable" pref (default true) that can be set to false to disable CSP globally.  Also merges event listener patch with main WIP patch.
Comment 14 Benjamin Smedberg [:bsmedberg] 2009-07-21 13:18:23 PDT
If this goes in 1.9.2 at all I think it needs to block the alpha.
Comment 15 Sid Stamm [:geekboy or :sstamm] 2009-07-21 16:54:25 PDT
Created attachment 389817 [details] [diff] [review]
CSP Work in Progress (v4.1)

Adds:
- Hooks into nsJSTimeoutHandler to turn off setTimeout() and setInterval() for string arguments (unless of course the CSP allows Eval stuff).
- Cleans out printf() statements, replacing them with PR_LOGGING stuff.  Still need to update the .js files for this, but can probably be done by changing CSPdebug, CSPError and CSPWarning.
Comment 16 Reed Loden [:reed] (use needinfo?) 2009-07-22 18:32:06 PDT
Comment on attachment 389817 [details] [diff] [review]
CSP Work in Progress (v4.1)

>+ * The Initial Developer of the Original Code is
>+ *   Sid Stamm <sid@mozilla.com>

No, the initial developer is MoCo or MoFo. You should just list yourself under contributors.
Comment 17 Sid Stamm [:geekboy or :sstamm] 2009-07-23 17:11:11 PDT
Created attachment 390366 [details] [diff] [review]
CSP Work in Progress (v5)

This patch includes miscellaneous fixes and rewriting of the parser.  Unit tests for CSPUtils.jsm have been heavily modified for correctness and to include "self" definitions where necessary.  (e.g., can't create a source "a.com" without knowing the scheme and port of 'self')  Highlights in this update from patch v4.1:
- Fixed license "initial developer" string (thanks reed, didn't know this was the common practice, now I do)
- 'self' keyword can only be stand-alone, not used used as anything other than scheme, host *and* port
- keywords are now quoted as per spec (e.g., 'none')
- host-less schemes (like data: and javascript:) are valid sources
- application/xml sent as MIME type for violation reports
- font-src and xml-src directives are now supported
- "report-only" variation based on the HTTP header name (https://wiki.mozilla.org/Security/CSP/Spec#Report-Only_mode)
Comment 18 Benjamin Smedberg [:bsmedberg] 2009-07-28 11:57:31 PDT
Per the platform meeting today, this is going to miss 1.9.2 and we don't want to take it after this week's beta, so this will have to wait for 1.9.3.
Comment 19 Sid Stamm [:geekboy or :sstamm] 2009-08-13 16:31:33 PDT
Created attachment 394402 [details] [diff] [review]
CSP Work in Progress (v5.1)

This patch includes miscellaneous fixes from v5.  Unit tests for CSPUtils.jsm have been fixed to support quoted keywords ('self', etc) and for correct behavior with source lists containing unidentifiable tokens.
- CSP parser enforces same-origin (scheme/host/port) for policy URI fetching
- CSP parser enforces ETLD+1 (public suffix + 1) matching for report URIs
- Variety of other minor fixes.
Comment 20 Sid Stamm [:geekboy or :sstamm] 2009-08-13 16:36:33 PDT
Created attachment 394403 [details] [diff] [review]
CSP Work in Progress (v5.1 - repaired)

Oops, previous attachment for v5.1 was incomplete.  This attachment fixes that.
Comment 21 Sid Stamm [:geekboy or :sstamm] 2009-08-14 16:15:42 PDT
Created attachment 394589 [details] [diff] [review]
CSP Work in Progress (v5.2)

- fixed a few policy initialization bugs ('inline' and 'eval' were ignored due to the way the policy was intersected with "allow *" initially)  'inline' and 'eval' are now digested properly
- added checking on link clicks to block javascript: URIs when 'inline' is not specified in the policy
Comment 22 Brandon Sterne (:bsterne) 2009-08-19 17:15:18 PDT
Created attachment 395460 [details] [diff] [review]
Redirect handling PoC - applies to v5.2

Here is a proof of concept for a workaround to the redirects-don't-call-into-Content-Policy problem.  This patch only implements the restrictions for image loading, so a lot of other code would need to be added to handle all the other types of loads.

The basic idea is to let all new channel creation go through a helper function, NewChannelIfPolicyOK, which works like NS_NewChannel but also takes a CSP object and a load type.  The CSP and load type are added to the initial channel's property bag when it's created.  These can be propagated forward as a channel redirects and can be used at each hop to decide whether or not to allow the redirect.
Comment 23 Sid Stamm [:geekboy or :sstamm] 2009-08-21 17:30:35 PDT
Created attachment 396000 [details] [diff] [review]
CSP Work in Progress (v5.3)

This new version is a rewrite:
- Completely rewrote the CSP parser ... it's now not as fragile and easier to read
- Reviewed and revised unit tests so they reflect the spec
Comment 24 Sid Stamm [:geekboy or :sstamm] 2009-10-08 14:05:51 PDT
Patches to deploy CSP are now split out into more bite-size pieces for the bits of functionality involved with what we call "CSP."  As a result, the patches in this bug are invalid: see the bugs this one depends on.
Comment 25 Cork 2009-10-18 04:52:17 PDT
I think someone should try posting about this at http://connect.microsoft.com/feedback/default.aspx?SiteID=136

With some luck this might make into ie too fairly soon.
Comment 26 Sid Stamm [:geekboy or :sstamm] 2010-02-01 11:49:30 PST
Related bug in webkit:
https://bugs.webkit.org/show_bug.cgi?id=30081
Comment 27 Brandon Sterne (:bsterne) 2010-04-15 09:54:42 PDT
Comment on attachment 395460 [details] [diff] [review]
Redirect handling PoC - applies to v5.2

Redirects in CSP are handled in bug 515797, bug 523239, and bug 515460.
Comment 28 Eric Shepherd [:sheppy] 2010-06-17 11:54:54 PDT
We have initial documentation here:

https://developer.mozilla.org/en/Introducing_Content_Security_Policy

What more is needed?
Comment 30 Brandon Sterne (:bsterne) 2010-10-10 19:55:04 PDT
Awesome, sheppy.  I'll review the docs tomorrow.
Comment 31 Eric Shepherd [:sheppy] 2010-10-11 06:41:52 PDT
I've added the doc on the policy violation reports here:

https://developer.mozilla.org/en/Security/CSP/Using_CSP_violation_reports

Paul has given the docs a once-over, and I've emailed a few questions to bsterne. Other than that, and bsterne's review, these are complete.
Comment 32 Mihai Morar, (:MihaiMorar) 2013-08-28 05:34:46 PDT
Hi Bradon. I want to test this feature but don't really know where to start from. Can you please provide any guildline please so I can create a test plan and some test cases for sign-off.
Comment 33 Mihai Morar, (:MihaiMorar) 2013-08-28 05:35:03 PDT
Hi Bradon. I want to test this feature but don't really know where to start from. Can you please provide any guildline so I can create a test plan and some test cases for sign-off.
Comment 34 Sid Stamm [:geekboy or :sstamm] 2013-08-28 05:42:40 PDT
Mihai: Brandon is no longer actively working on this.

Here's the specification for the feature: http://www.w3.org/TR/CSP/

We have many tests for this in our mochitest suite already.  This is a metabug, please look at all the blocking bugs to see the real work.
Comment 35 Mihai Morar, (:MihaiMorar) 2013-08-28 05:57:01 PDT
Thanks Sid. If there are any test plan or additional test cases required please let me know.
Comment 36 Mihai Morar, (:MihaiMorar) 2013-08-30 02:25:14 PDT
I ran on local machines following Run Tests and got 23 failures. Results: (164/187)

Test Runs:
http://csptesting.herokuapp.com/

Failures: Same failures for Windows 7 x64, Ubuntu 13.04 x86 and Mac OS 10.8 on FF24b7 BuildID: 20130829135643

13	Style in data-uri allowed
15	Use inline styles
17	Use inline style attributes
61	Style wants image, and allowed by img-src
78	Load embed from default-src 'self'
80	Load embed from object-src 'self'
83	Load embed from object-src with redirect from allowed to allowed
84	Load embed from default-src csptesting.herokuapp.com
89	Load embed from object-src with redirect from allowed to allowed
106	Load font from default-src 'self'
108	Load font from font-src 'self'
111	Load font from font-src with redirect from allowed to allowed
112	Load font from default-src csptesting.herokuapp.com
114	Load font from font-src csptesting.herokuapp.com
117	Load font from font-src with redirect from allowed to allowed
150	Load xhr from connect-src with redirect from allowed to allowed
156	Load xhr from connect-src with redirect from allowed to allowed
165	Load WebSockets from default-src ws://csptesting.herokuapp.com
167	Load WebSockets from connect-src ws://csptesting.herokuapp.com
171	SVG - scripting event handler
183	Sandbox
185	Sandbox

Any idea why all these test are failling?
Comment 37 Sid Stamm [:geekboy or :sstamm] 2013-08-30 08:40:58 PDT
There could be many reasons.  See all the bugs blocking this (and blocking the bug aliased to csp-w3c-1.0)?  Some of those might explain various failures.

Also, there could possibly be bugs in the tests. Not sure without digging into them more.

Garrett: you've probably looked at this stuff more recently than me, do you have any insight or should we file a bug to follow up with all these test failures?
Comment 38 Garrett Robinson [:grobinson] 2013-09-11 16:28:22 PDT
I've triaged all of the test failures from http://csptesting.herokuapp.com/. No new bugs need to be filed :)

13-117 all failed because the iframes used to load the test requests had 'style="display:none"', to avoid cluttering up the page. However, FF does not compute style (or perform certain other rendering tasks) on elements that are/are children of 'display:none'. These test failures were false negatives. They were addressed (swiftly!) by eoftedal in https://github.com/eoftedal/csp-testing/issues/6

150-167 were all failing because they were performing cross-domain XHR without CORS properly configured (these tests failed on Chrome as well). This was a bug in the test suite, and was addressed by eoftedal in https://github.com/eoftedal/csp-testing/issues/7

171 failed because it tests the execution of script in an onload event handler in a <g> child of an <svg> element. FF's SVG code purposely does not implement the "load event dispatched on every element" behavior for performance reasons. For context (thanks dholbert!), see

* https://bugzilla.mozilla.org/show_bug.cgi?id=552938#c27
* https://bugzilla.mozilla.org/show_bug.cgi?id=639950

Finally, 183 and 185 fail because we have not yet implemented the sandbox directive (optional in 1.0). See Bug 671389.

eoftedal quickly fixed the issues in the test suite. I now see 180/187 passing tests, 3 of which are 171, 183, and 185. I will further triage the remaining 4 tests.
Comment 39 Florian Bender 2013-10-11 13:14:38 PDT
(In reply to Garrett Robinson [:grobinson] from comment #38)
> I've triaged all of the test failures from http://csptesting.herokuapp.com/.

I see 180 test passing in 25b6, but Nightly 27.0a1 (2013-10-11) only passes 142/187! Which version did you try this with? What's the reason for the regression?
Comment 40 Ian Melven :imelven 2013-10-11 14:12:52 PDT
(In reply to Florian Bender from comment #39)
> (In reply to Garrett Robinson [:grobinson] from comment #38)
> > I've triaged all of the test failures from http://csptesting.herokuapp.com/.
> 
> I see 180 test passing in 25b6, but Nightly 27.0a1 (2013-10-11) only passes
> 142/187! Which version did you try this with? What's the reason for the
> regression?

Could be bug 925186 or could be other regressions from bug 836922 possibly.
Comment 41 Sid Stamm [:geekboy or :sstamm] 2013-10-11 16:02:10 PDT
I just built mozilla-central, built and confirmed 142/187.  When I applied the fixes for bug 925186 and bug 924708 I get 180/187.  I probably regressed all the things with multipolicy support, but looks like we found most of 'em.
Comment 42 Mihai Morar, (:MihaiMorar) 2013-10-15 02:30:11 PDT
Thanks Sid for your feedback. I get Results: (142/187), same results as you got in Comment 41. I had used Windows 7 x64 and Latest Aurora 26 for testing. 

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 
BuildID: 20131014004003
Comment 43 Mihai Morar, (:MihaiMorar) 2013-10-15 02:32:45 PDT
Garrett, are there any additional tests required for testing this feature on it's enought to confirm that the fixed bugs from "Depends On" section are verified?
Comment 44 Garrett Robinson [:grobinson] 2013-10-24 11:47:49 PDT
(In reply to Mihai Morar, QA (:MihaiMorar) from comment #43)
> Garrett, are there any additional tests required for testing this feature on
> it's enought to confirm that the fixed bugs from "Depends On" section are
> verified?

All of the fixed bugs from "depends on" should have accompanying tests. Most of these are in content/base/test/csp. There are some tests related to Web Console logging in browser/devtools/webconsole/test.
Comment 45 Anne (:annevk) 2014-07-03 10:18:47 PDT
*** Bug 361915 has been marked as a duplicate of this bug. ***
Comment 46 Anne (:annevk) 2014-07-03 10:21:41 PDT
*** Bug 390910 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.