Closed Bug 864675 Opened 7 years ago Closed 5 years ago

CSP chokes on opening links

Categories

(Firefox :: Security, defect, major)

20 Branch
x86_64
Windows 7
defect
Not set
major

Tracking

()

RESOLVED DUPLICATE of bug 608131

People

(Reporter: marc.stern, Unassigned)

References

(Blocks 1 open bug)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20100101 Firefox/17.0
Build ID: 20130328110703

Steps to reproduce:

Page CSP header:
X-Content-Security-Policy: default-src https://extranet.approach.be javascript://*:*

The page contains a link:
<a href="http://..." target="_blank">link</a>



Actual results:

When clicking on the link, the browser generates a CSP error and blocks the link opening:
Warning: CSP WARN:  Directive default-src https://extranet.approach.be:443 javascript://*:* violated by http://...

If opening the link explicitly in a new tab/window (middle click), the new tab/window opens correctly. As the target frame is "_blank", the link always opens in a new tab/window, but the browser seems to block before opening the new tab/window.

I checked the problem with version 20.0 & ESR 17.0.5.


Expected results:

The link must open in a new tab/window
Severity: normal → major
Component: Untriaged → Security
Version: 17 Branch → 20 Branch
I am unable to reproduce this in Firefox 19 or in nightly (23) on Linux.

Is the link inside an iframe inside a CSP-protected document?  The reason I ask is bug 608131.

A side note, and probably not related to your issue: the javascript scheme doesn't support a host or slashes like your syntax.  To allow javascript URIs in your page you should use this CSP:

X-Content-Security-Policy: default-src https://extranet.approach.be javascript:

Also, you may consider moving to the non-prefixed header that's being standardized in the W3C.  That will be landing in Firefox shortly.  http://www.w3.org/TR/CSP/
Blocks: CSP
It's inside a frame -  not an iframe - which has the same CSP protection.
I can reproduce it in 20.0.1.
Any chance you can post a link to the broken site here? I tried to recreate it on my local machine, but it didn't have the same error.
Marc, is this still a problem with latest firefox?  (Frames and iframes probably have the same problem that we fixed in bug 608131).
Flags: needinfo?(marc.stern)
Indeed, it is fixed.
Thanks
Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 608131
Flags: needinfo?(marc.stern)
You need to log in before you can comment on or make changes to this bug.