Closed Bug 824179 Opened 7 years ago Closed 7 years ago

Mozilla Marketplace is violating its own custom CSP (but not the default "app" CSP)

Categories

(Marketplace Graveyard :: Consumer Pages, defect)

defect
Not set

Tracking

(Not tracked)

RESOLVED WONTFIX

People

(Reporter: cjones, Unassigned)

Details

This came out in bug 823962.  I also don't know where to file these bugs.

Unsure of severity.
Quoting bug 823962 comment 9

Based on what I see in the logcat: the marketplace is loading a data: uri even though the CSP doesn't permit that URI.  The policy needs to be changed to allow images from *everywhere* or at least include "data:" in the list of valid image sources.
Chris - I thought the CSP policy didn't apply to preloaded hosted apps? Why is the marketplace getting hit by the CSP policy?

ccing a bunch of marketplace folks to see if they have an idea what's going wrong here as well
Maybe I'm misreading something. Can you clarify what CSP checks are being done on the marketplace?
Component: Gaia → Consumer Pages
Product: Boot2Gecko → Marketplace
Version: unspecified → 1.0
The marketplace itself has a CSP, and the marketplace is violating its own CSP.
Summary: Mozilla Marketplace is violating its CSP → Mozilla Marketplace is violating its own custom CSP, not the default "app" CSP
Flags: mkt-blocker?
I'm guessing that this could block us from turning on the patch from bug 782542, right?
Blocks: 782542
Nope, that's bug 823962.
No longer blocks: 782542
Summary: Mozilla Marketplace is violating its own custom CSP, not the default "app" CSP → Mozilla Marketplace is violating its own custom CSP (but not the default "app" CSP)
Hi.  Thanks for filing.  Would you be specific about what the problem is?  The marketplace has some custom CSP rules in it, but they are off now and have only ever been enabled as report only.  So, because of that, I assume this is about something app-y and not regular browser CSP but I need help to understand what.  Thanks! :)
All I can point to is comment 1.
(In reply to Chris Jones [:cjones] [:warhammer] from comment #8)
> All I can point to is comment 1.

Sid, Can you help clarify that comment?  What rules you're seeing and where they are coming from?
Flags: needinfo?(sstamm)
Sure.  The logcat in bug 823962 has a CSP warning in it.  I cut the line short for brevity but here's what it says:

12-21 16:34:26.585: E/GeckoConsole(498): [JavaScript Warning: "CSP WARN:  Directive img-src https://marketplace-dev.allizom.org:443 http://dev1.addons.phx1.mozilla.com:80 https://www.google.com:443 https://statse.webtrendslive.com:443 https://www.getpersonas.com:443 https://s3.amazonaws.com:443 https://marketplace-dev-cdn.allizom.org:443 violated by data:image/png;base64,[datastuffhere]

The data: URI is being rejected by the CSP served since it's not explicitly whitelisted in img-src.  Either change the img-src directive to allow *all* images (*) or add "data:" to the list of origins.
Flags: needinfo?(sstamm)
Got it, thanks.  Yes, we have a policy at https://marketplace-dev.allizom.org/services/csp/policy?build=7171 and it's out of date.  I update it every few months but since it is impossible to turn on in production it's always a low priority.  This is a dupe of bug 816265 if we're just talking about updating the policy.

This bug seemed more urgent than that so I'm leaving it open for another comment, but our policy has always only been report-only so aside from an extra ping this shouldn't be a problem, right?
Tentatively closing due to no response to comment 11.  Feel free to reopen.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
blocking-basecamp: ? → ---
Flags: mkt-blocker?
You need to log in before you can comment on or make changes to this bug.