Closed Bug 824179 Opened 7 years ago Closed 7 years ago
Mozilla Marketplace is violating its own custom CSP (but not the default "app" CSP)
This came out in bug 823962. I also don't know where to file these bugs. Unsure of severity.
Quoting bug 823962 comment 9 Based on what I see in the logcat: the marketplace is loading a data: uri even though the CSP doesn't permit that URI. The policy needs to be changed to allow images from *everywhere* or at least include "data:" in the list of valid image sources.
Chris - I thought the CSP policy didn't apply to preloaded hosted apps? Why is the marketplace getting hit by the CSP policy? ccing a bunch of marketplace folks to see if they have an idea what's going wrong here as well
Maybe I'm misreading something. Can you clarify what CSP checks are being done on the marketplace?
Component: Gaia → Consumer Pages
Product: Boot2Gecko → Marketplace
Version: unspecified → 1.0
The marketplace itself has a CSP, and the marketplace is violating its own CSP.
Summary: Mozilla Marketplace is violating its CSP → Mozilla Marketplace is violating its own custom CSP, not the default "app" CSP
I'm guessing that this could block us from turning on the patch from bug 782542, right?
7 years ago
Summary: Mozilla Marketplace is violating its own custom CSP, not the default "app" CSP → Mozilla Marketplace is violating its own custom CSP (but not the default "app" CSP)
Hi. Thanks for filing. Would you be specific about what the problem is? The marketplace has some custom CSP rules in it, but they are off now and have only ever been enabled as report only. So, because of that, I assume this is about something app-y and not regular browser CSP but I need help to understand what. Thanks! :)
All I can point to is comment 1.
(In reply to Chris Jones [:cjones] [:warhammer] from comment #8) > All I can point to is comment 1. Sid, Can you help clarify that comment? What rules you're seeing and where they are coming from?
Got it, thanks. Yes, we have a policy at https://marketplace-dev.allizom.org/services/csp/policy?build=7171 and it's out of date. I update it every few months but since it is impossible to turn on in production it's always a low priority. This is a dupe of bug 816265 if we're just talking about updating the policy. This bug seemed more urgent than that so I'm leaving it open for another comment, but our policy has always only been report-only so aside from an extra ping this shouldn't be a problem, right?
Tentatively closing due to no response to comment 11. Feel free to reopen.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.