553180 - "Blocked by Content Security Policy" frame error page should not have "try again" button

Status: RESOLVED FIXED

(Core :: Networking, defect)

Description

[Jesse Ruderman]

Trying again is unlikely to make it work, so the button should not be there.  I could go for a "Show only this frame" or "Open frame in new tab" button, though.

Comment 1

[Sid Stamm [:geekboy or :sstamm]]

Good point, Try Again is not a useful feature there.  :)  CC'ing Johnath who might have an opinion.

Comment 2

[Brandon Sterne (:bsterne)]

This applies to X-Frame-Options, bug 475530, as well.

Comment 3

[Johnathan Nightingale [:johnath]]

Killing the Try Again button makes good sense, yeah. There's precedent, too:

http://mxr.mozilla.org/mozilla-central/source/docshell/resources/content/netError.xhtml#187

As for doing more interesting things like breaking out of the frame, that will require more of the content/chrome event bubbling hijinx - not sure how I feel about it, but I think it might be worthwhile to break that off from killing Try Again, which feels unambiguously right?

Comment 4

[Brandon Sterne (:bsterne)]

I'm also not sure we need the button to take the user directly to the page.  In most clickjacking attacks, users will never see the frame anyway.  Plus we do already allow users to right-click in the frame and open it in its own tab or window, or open it directly if they need that feature.

Comment 5

[Jesse Ruderman]

I filed bug 561916 for the "open frame in new tab" button (plus a few other issues).

Comment 6

[Sid Stamm [:geekboy or :sstamm]]

Attachment: Fix

No tests for this patch (trivial fix). You can see the result of the patch in the content/base/test/test_CSP_frameancestors.html mochitest.

Johnathan, just want to run this by your UI eyeballs before we commit the change.

jst, I saw you were a peer on docshell, maybe you can give me a review on this tiny change?

Comment 7

[Brandon Sterne (:bsterne)]

http://hg.mozilla.org/mozilla-central/rev/b3ed3405f1dc