Closed
Bug 929653
Opened 11 years ago
Closed 11 years ago
CSP style-src is parsed using incorrect ordering rules
Categories
(Core :: Security, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 909029
People
(Reporter: bluewind, Unassigned)
References
(Blocks 1 open bug)
Details
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0 (Beta/Release) Build ID: 20130917081302 Steps to reproduce: Send the following CSP header and try to open an SVG image created by systemd-analyze. Content-Security-Policy: default-src 'none'; style-src * 'unsafe-inline'; Changing the order of * and 'unsafe-inline' fixes the issue, but according to the W3C draft source-list is an unordered list of source-expressions[1] and I can't find any mention of order being important. [1]: http://www.w3.org/TR/CSP/#source-list Actual results: Firefox complains about inline style being forbidded by the CSP. Expected results: Firefox should display the image correctly and not complain about CSP issues.
Comment 1•11 years ago
|
||
Florian, can you please link to a test case or attach a test case? It will help us move more quickly on this bug.
Flags: needinfo?(bluewind)
Reporter | ||
Comment 2•11 years ago
|
||
Test case "* 'unsafe-inline'": http://flo.server-speed.net/tmp/test.svg Test case "'unsafe-inline' *": http://flo.server-speed.net/tmp/test2.svg Both render fine in chromium, in Firefox test.svg (same file, just different CSP header) is pretty much only a black square.
Flags: needinfo?(bluewind)
Comment 3•11 years ago
|
||
Thanks for the test cases, Florian. This bug is caused by the early return in CSPSourceList.fromString [1]. Sid - wasn't this the cause of another recent bug? Do you recall which? [1] http://dxr.mozilla.org/mozilla-central/source/content/base/src/CSPUtils.jsm?from=CSPUtils.jsm#l989
Flags: needinfo?(sstamm)
Comment 4•11 years ago
|
||
I think it was bug 909029. Garrett, you're almost done with that. Probably wouldn't hurt to see if that's the same bug.
Flags: needinfo?(sstamm)
Comment 5•11 years ago
|
||
The patch for bug 909029 fixes this problem as well.
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•