Closed Bug 792542 Opened 13 years ago Closed 13 years ago

CSPRep.fromString creates a channel out of thin air

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla18
Tracking Flags:
Tracking Status
firefox18 + fixed

People

(Reporter: jdm, Assigned: jdm)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Make CSP report channel respect the privacy status of the original request.
1.27 KB, patch
geekboy
: review+
Details | Diff | Splinter Review
http://mxr.mozilla.org/mozilla-central/source/content/base/src/CSPUtils.jsm#401 This looks like it should be assigned the same loadgroup as the originating document to prevent information leakage in private browsing.
It used to be a chrome XHR, but that got changed in bug 558431. But yeah, it should probably be in the same loadgroup as the document for purposes of private browsing.
Blocks: CSP
Component: DOM → DOM: Core & HTML
Assignee: nobody → josh
tracking-firefox18: --- → +
Sid, I would love to write a test for this but I couldn't find any examples of tests that do things with valid async policy-uri directives. If you can give me some pointers, the code to check whether the request is cached correctly is simple.
Attachment #663260 - Flags: review?(sstamm)
Comment on attachment 663260 [details] [diff] [review] Make CSP report channel respect the privacy status of the original request. Review of attachment 663260 [details] [diff] [review]: ----------------------------------------------------------------- r=me Note: your patch comment has r=sstam in it (should be r=sstamm or r=geekboy). I think the patch in bug 558431 has xpcshell async policy-uri tests -- see the patch to test_csputils.js and test_bug558431.js. I'd love to have tests for this if you can.
Attachment #663260 - Flags: review?(sstamm) → review+
It doesn't look like it's going to be a simple task to write a test for this - in xpcshell we can run a server on the policy port, but then we don't have a document and loadgroup and so forth. We can't easily run a server in something like mochitest-browser-chrome, as far as I know, so I think I'm going to have to punt on automatic tests.
https://hg.mozilla.org/mozilla-central/rev/b8e4333af38a Should this have a test?
Status: NEW → RESOLVED
Closed: 13 years ago
status-firefox18: --- → fixed
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla18
Can someone provide some STR so I can verify this fix please?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: