Closed
Bug 796739
Opened 12 years ago
Closed 12 years ago
CSP violations warnings
Categories
(Firefox OS Graveyard :: Gaia, defect, P3)
Firefox OS Graveyard
Gaia
Tracking
(blocking-basecamp:+)
RESOLVED
FIXED
blocking-basecamp | + |
People
(Reporter: ghtobz, Assigned: ochameau)
References
Details
(Whiteboard: [label:system], QARegressExclude)
Attachments
(12 files, 1 obsolete file)
166 bytes,
text/html
|
kaze
:
review+
|
Details |
166 bytes,
text/html
|
vingtetun
:
review+
|
Details |
166 bytes,
text/html
|
vingtetun
:
review+
|
Details |
166 bytes,
text/html
|
asuth
:
review+
|
Details |
166 bytes,
text/html
|
vingtetun
:
review+
|
Details |
166 bytes,
text/html
|
Details | |
166 bytes,
text/html
|
djf
:
review+
|
Details |
166 bytes,
text/html
|
ladamski
:
feedback-
|
Details |
166 bytes,
text/html
|
iliu
:
review+
|
Details |
355 bytes,
text/html
|
jj.evelyn
:
review+
|
Details |
166 bytes,
text/html
|
fcampo
:
review+
|
Details |
166 bytes,
text/html
|
jlal
:
review+
|
Details |
[GitHub issue by fabricedesre on 2012-09-25T20:56:31Z, https://github.com/mozilla-b2g/gaia/issues/5173]
When the system app loads, we now have these warnings:
E/GeckoConsole( 106): [JavaScript Warning: "CSP WARN: Directive inline script base restriction violated
E/GeckoConsole( 106): " {file: "app://system.gaiamobile.org/index.html" line: 0 column: 0 source: "onload attribute on UNKNOWN element"}]
E/GeckoConsole( 106): [JavaScript Warning: "CSP WARN: Directive inline script base restriction violated
E/GeckoConsole( 106): " {file: "app://system.gaiamobile.org/index.html" line: 0 column: 0 source: "onsubmit attribute on FORM element"}]
E/GeckoConsole( 106): [JavaScript Warning: "CSP WARN: Directive inline script base restriction violated
E/GeckoConsole( 106): " {file: "app://system.gaiamobile.org/index.html" line: 0 column: 0 source: "onmousedown attribute on SECTION element"}]
E/GeckoConsole( 106): [JavaScript Warning: "CSP WARN: Directive inline script base restriction violated
E/GeckoConsole( 106): " {file: "app://system.gaiamobile.org/index.html" line: 0 column: 0 source: "onmousedown attribute on BUTTON element"}]
E/GeckoConsole( 106): [JavaScript Warning: "CSP WARN: Directive inline script base restriction violated
E/GeckoConsole( 106): " {file: "app://system.gaiamobile.org/index.html" line: 0 column: 0 source: "onmousedown attribute on DIV element"}]
E/GeckoConsole( 106): [JavaScript Warning: "CSP WARN: Directive inline script base restriction violated
E/GeckoConsole( 106): " {file: "app://system.gaiamobile.org/index.html" line: 0 column: 0 source: "onmousedown attribute on DIV element"}]
E/GeckoConsole( 106): [JavaScript Warning: "CSP WARN: Directive inline script base restriction violated
E/GeckoConsole( 106): " {file: "app://system.gaiamobile.org/index.html" line: 0 column: 0 source: "onmousedown attribute on DIV element"}]
E/GeckoConsole( 106): [JavaScript Warning: "CSP WARN: Directive inline script base restriction violated
E/GeckoConsole( 106): " {file: "app://system.gaiamobile.org/index.html" line: 0 column: 0 source: "onmousedown attribute on DIV element"}]
E/GeckoConsole( 106): [JavaScript Warning: "CSP WARN: Directive inline script base restriction violated
E/GeckoConsole( 106): " {file: "app://system.gaiamobile.org/index.html" line: 0 column: 0 source: "onmousedown attribute on BUTTON element"}]
E/GeckoConsole( 106): [JavaScript Warning: "CSP WARN: Directive inline script base restriction violated
E/GeckoConsole( 106): " {file: "app://system.gaiamobile.org/index.html" line: 0 column: 0 source: "onmousedown attribute on DIV element"}]
E/GeckoConsole( 106): [JavaScript Warning: "CSP WARN: Directive inline script base restriction violated
E/GeckoConsole( 106): " {file: "app://system.gaiamobile.org/index.html" line: 0 column: 0 source: "onmousedown attribute on BUTTON element"}]
[GitHub comment by nhirata on 2012-09-26T21:59:36Z]
is this a dup of #5177?
Updated•12 years ago
|
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Comment 3•12 years ago
|
||
@dale bug 803178 is under the calendar component and unrelated to this.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Comment 4•12 years ago
|
||
oh sorry didnt notice the component
Assignee | ||
Updated•12 years ago
|
Assignee: nobody → poirot.alex
Assignee | ||
Comment 5•12 years ago
|
||
I'll take a look at this if noone started working on this.
Updated•12 years ago
|
blocking-basecamp: ? → +
Assignee | ||
Comment 7•12 years ago
|
||
Here is settings fixes.
I'll do one pull request per app.
Attachment #674637 -
Flags: review?(kaze)
Updated•12 years ago
|
Priority: -- → P3
Comment 9•12 years ago
|
||
Comment on attachment 674640 [details]
Pull request 5983 - fix clock
https://github.com/mozilla-b2g/gaia/commit/35dbf43c7272b82a3233c259f82ba804a130cadc
Attachment #674640 -
Flags: review?(iliu) → review+
Assignee | ||
Comment 10•12 years ago
|
||
Attachment #677055 -
Flags: review?(21)
Attachment #677055 -
Flags: review?(21) → review+
Comment 11•12 years ago
|
||
Assignee | ||
Comment 12•12 years ago
|
||
Attachment #678301 -
Flags: review?(bugmail)
Updated•12 years ago
|
Attachment #674637 -
Flags: review?(kaze) → review+
Updated•12 years ago
|
Attachment #678301 -
Flags: review?(bugmail) → review+
Comment 13•12 years ago
|
||
Are there other outstanding issues stopped us from enabling the full CSP policy? I'd like to wrap this up by the end of this week.
Assignee | ||
Comment 14•12 years ago
|
||
There is still one CSP violation in communications, then I think we are good to go.
I've seen some inline script in showcase apps, but I think they are not involved in CSP secured policy, right?
I'm currently working on the patch for communications.
Comment 15•12 years ago
|
||
I don't think the showcase apps are packaged or certified apps? If not then we should have a problem there.
Assignee | ||
Comment 16•12 years ago
|
||
Didn't knew who to ask for this review, feel free to forward it.
But that isn't necessary a review for communications app developers as it is mostly about root `webapps.js` file.
Attachment #678462 -
Flags: review?(21)
Assignee | ||
Comment 17•12 years ago
|
||
Vivien, same thing here. Please forward this r? to the right person. This time it is really for someone involved in Communnication!
Attachment #678475 -
Flags: review?(21)
Assignee | ||
Comment 18•12 years ago
|
||
Lucas, I think we will be able to enable strict policy with all these pull requests being reviewed and merged.
Feel free to give it a try in the meantime as I may easily have missed some CSP violation.
Attachment #678505 -
Flags: review?(dflanagan)
Comment 19•12 years ago
|
||
Comment on attachment 678505 [details]
Pull request 6181 - fix cubevid and crystallskull
Looks good.
Attachment #678505 -
Flags: review?(dflanagan) → review+
Attachment #678462 -
Flags: review?(21) → review+
Attachment #678475 -
Flags: review?(21) → review?(jmcf)
Assignee | ||
Comment 20•12 years ago
|
||
There is lot of CSP violations in UITests app.
It doesn't seem worthwile to fix them, so I tried to use `csp` field in webapp manifest, without success. Would you happen to know why it doesn't work?
https://developer.mozilla.org/en-US/docs/Apps/Manifest#Manifest_fields
(Implemented in bug 773891)
Attachment #679164 -
Flags: feedback?(ladamski)
Comment 21•12 years ago
|
||
Comment on attachment 679164 [details]
Pull request 6244 - try to fix uitest by changing its csp
The CSP property in the manifest is intersected with the system-enforced CSP policy, and so can only tighten the system policy further.
Assignee | ||
Comment 22•12 years ago
|
||
(In reply to Lucas Adamski from comment #21)
> The CSP property in the manifest is intersected with the system-enforced CSP
> policy, and so can only tighten the system policy further.
Hum, even when we remove `type: "certified"` ?
Otherwise do you think about any workaround that would prevent patching all these violations?
Comment 23•12 years ago
|
||
Non-certified/privileged applications don't have a required CSP policy. But then other things would break (like direct access to the Contacts API).
I don't know of a strightforward way to solve this without changing the device-wide CSP pref, but that would not help with the core purpose of testing and would make anyone who wants to do testing would have to open a big security hole on their device.
One way of doing it could be to have a device pref to enable an exception for enforcing the minimum CSP for specific apps, but that feels only slightly less terrible than the above suggestion.
Updated•12 years ago
|
Attachment #679164 -
Flags: feedback?(ladamski) → feedback-
Comment 24•12 years ago
|
||
Just found one more: SMS app
[JavaScript Warning: "CSP WARN: Directive eval script base restriction violated
" {file: "app://sms.gaiamobile.org/shared/js/phoneNumberJS/PhoneNumber.js" line: 56 column: 0 source: "call to eval() or related function blocked by CSP"}]
App seems to work ok.
Comment 25•12 years ago
|
||
Update on c24: Per agal PhoneNumber.js is moving to Gecko and can be ignored. App seems to work otherwise.
Updated•12 years ago
|
Component: Gaia → Gaia::System
Updated•12 years ago
|
Component: Gaia::System → Gaia
Comment 26•12 years ago
|
||
Comment on attachment 678475 [details]
Pull request 6178 - optional communications fix
Jose changes has landed at: https://github.com/mozilla-b2g/gaia/commit/98dab6b2b1df54762c0886ae8f5ba70bd643b82f
Attachment #678475 -
Flags: review?(jmcf)
Assignee | ||
Comment 27•12 years ago
|
||
Assignee | ||
Updated•12 years ago
|
Attachment #682079 -
Attachment description: Pull request 6438 - fix FTU → Pull request 6438 - fix bluetooth
Assignee | ||
Comment 28•12 years ago
|
||
Comment 29•12 years ago
|
||
Comment on attachment 682079 [details]
Pull request 6438 - fix bluetooth
It seems like onsubmit on buttons does nothing :)
Attachment #682079 -
Flags: review?(ehung)
Attachment #682083 -
Flags: review?(fbsc)
Assignee | ||
Comment 30•12 years ago
|
||
So here is the current status about CSP:
- We have some minor violations in bluetooth and ftu apps,
- tons of violations in uitest app, but we shouldn't block on this, and hopefully bug 801783 will land soon and we will then be able to make it work again,
- one hard to fix violation in SMS app that isn't really harmfull as it doesn't completely break SMS app but kill the phone number normalization done in SMS. So if we consider bug 811539 as being bb+ and ensure that it is fixed before shipping, we can consider switching to strict CSP now.
Comment 31•12 years ago
|
||
Comment on attachment 682079 [details]
Pull request 6438 - fix bluetooth
Ian, could you please take a look of this? I guess there are some follow-up works in your JS code. Thanks.
Attachment #682079 -
Flags: review?(ehung) → review?(iliu)
Assignee | ||
Comment 32•12 years ago
|
||
Comment 33•12 years ago
|
||
Pointer to Github pull-request
Comment 34•12 years ago
|
||
Comment on attachment 683978 [details]
Pointer to Github pull request: https://github.com/mozilla-b2g/gaia/pull/6554
We should add preventDefault() for the type="submit" button.
Evelyn, could you help me to review the pr?
Thank you.
Attachment #683978 -
Flags: review?(ehung)
Comment 35•12 years ago
|
||
Comment on attachment 682079 [details]
Pull request 6438 - fix bluetooth
We should add the patch https://github.com/mozilla-b2g/gaia/pull/6554 with pr 6438.
It will work fine.
r=me
Attachment #682079 -
Flags: review?(iliu) → review+
Comment 36•12 years ago
|
||
Comment on attachment 683978 [details]
Pointer to Github pull request: https://github.com/mozilla-b2g/gaia/pull/6554
r=me, looks good.
Attachment #683978 -
Flags: review?(ehung) → review+
Assignee | ||
Comment 37•12 years ago
|
||
Attachment #682083 -
Flags: review?(fbsc)
Assignee | ||
Comment 38•12 years ago
|
||
Yet another rebase.
That's the last CSP fix before enabling it by default.
Attachment #682083 -
Attachment is obsolete: true
Attachment #686327 -
Flags: review?(fernando.campo)
Updated•12 years ago
|
Attachment #686327 -
Flags: review?(fernando.campo) → review+
Assignee | ||
Comment 39•12 years ago
|
||
Assignee | ||
Comment 40•12 years ago
|
||
One last, the test-agent app used to run gaia unit tests.
Attachment #686582 -
Flags: review?(etienne)
Assignee | ||
Comment 41•12 years ago
|
||
So with this last pull request applied, only some test applications still fail on CSP violation: uitest and test receivers.
Tested: FTU, sim dialog, all apps from apps folder (no deep test except dialer/sms), games.
Assignee | ||
Comment 42•12 years ago
|
||
Attachment 686582 [details] landed:
https://github.com/mozilla-b2g/gaia/commit/2182d0a601bc194452284af65e3787331ded7e07
Status: REOPENED → RESOLVED
Closed: 12 years ago → 12 years ago
Resolution: --- → FIXED
Updated•12 years ago
|
Attachment #686582 -
Flags: review?(etienne) → review+
You need to log in
before you can comment on or make changes to this bug.
Description
•