Closed Bug 896589 Opened 11 years ago Closed 3 months ago

(CSP) "Content Security Policy: Directive inline style base restriction violated" when doing view-source on login.mozilla.org

Categories

(Websites :: login.mozilla.com, defect, P5)

Product:
Websites
Component:
login.mozilla.com
Platform:
x86_64
Linux
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1873553

People

(Reporter: dholbert, Assigned: gcox)

References

(Blocks 1 open bug,
URL
)

Details

(Whiteboard: [domsecurity-backlog])

STR: 1. Visit https://login.mozilla.org/ 2. Open the error console. (Ctrl+Shift+J) 3. (optional) Hit "Clear" button in console, to clear out everything there. 4. View|Source on the login.mozilla.org window. 5. Inspect error console. SIMPLER STR: Visit the URL "view-source:https://login.mozilla.org/" while you have the error console open. ACTUAL RESULTS: This appears, when you open "View Source": { [11:22:04.898] Content Security Policy: Directive inline style base restriction violated @ view-source:https://login.mozilla.org/ } Presumably this happens because Firefox is applying styling to present the "view-source" UI, which conflicts with CSP headers sent to us by login.mozilla.org.
Component: Security → DOM: Security
Whiteboard: [domsecurity-backlog]
Priority: -- → P5
Severity: normal → S3

It's login.mozilla.com now. Nice find, not sure anyone told anyone who owned the site over the years, though. :(
Adding it to the pile-o-debt.

Assignee: nobody → gcox
Component: DOM: Security → login.mozilla.com
Product: Core → Websites

Just got to a point where I could look at this and I kinda think this is 'not my bug'?

On a Django stage site, I clamped down on CSP ...

CSP_DEFAULT_SRC = ("'none'")
CSP_CONNECT_SRC = ("'self'")
CSP_FONT_SRC = ("'self'")
CSP_IMG_SRC = ("'self'")
CSP_SCRIPT_SRC_ELEM = ("'self'", 'https://code.jquery.com/', 'https://cdn.jsdelivr.net/npm/')
CSP_STYLE_SRC = ("'self'")
CSP_STYLE_SRC_ATTR = ("'self'")
# The non-fallbacks:
CSP_BASE_URI = ("'none'")
CSP_FORM_ACTION = ("'none'")
CSP_FRAME_ANCESTORS = ("'none'")

... and that all looks aggressive-but-not-unreasonable. view-source: came back:

Content-Security-Policy: The page’s settings blocked an inline style (style-src-attr) from being applied because it violates the following directive: “style-src-attr 'self'”
Source: tab-size: 4

This seems like bug 1873553. Feels like this is a holistic Fx problem, or I'm unclear where I should ease up on CSP restrictions.

Yup, I think this is a Firefox bug. I think it was filed as such (though dormant) until you reclassified it in comment 1. :)

Fair... but until I got into working on it, it wasn't clear to me that it wasn't a site problem.
[checks dates] I don't think I delayed anything, though. :)

I'mma reso-dupe then; bug 1873553 looks like it has 10-years-more-modern take on things.

Status: NEW → RESOLVED
Closed: 3 months ago
Duplicate of bug: 1873553
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.