Open
Bug 931107
Opened 11 years ago
Updated 2 years ago
ShouldLoad inconsistency of aRequestingLocation between images and fonts requested from css files
Categories
(Core :: Security, defect)
Core
Security
Tracking
()
NEW
People
(Reporter: ckerschb, Unassigned)
Details
When working on Bug 909920 we realized that |aRequestingLocation| in ShouldLoad is different when loading images and fonts from a CSS file. For images: http://people.mozilla.org/~tvyas/darkreading.html aRequestingLocation is the CSS file. For fonts: http://people.mozilla.org/~tvyas/darkreading-font2.html aRequestingLocation in the HTML file. We think aRequestingLocation should be the CSS file in both cases.
Comment 1•11 years ago
|
||
Also, when you import css from css, I believe aRequestingLocation is the CSS file. http://people.mozilla.org/~tvyas/darkreading-style.html Christoph can confirm.
Updated•11 years ago
|
Summary: ShouldLoad inconsistency of aRequestingLocation between images and fonts → ShouldLoad inconsistency of aRequestingLocation between images and fonts requested from css files
Comment 2•11 years ago
|
||
I believe for fonts the HTML file was purposefully chosen because of the security-check behavior we wanted here. John should have the details...
Flags: needinfo?(jdaggett)
Comment 3•11 years ago
|
||
Hrm, or maybe this part was Jonathan, actually, looking at the blame.
Flags: needinfo?(jfkthame)
Comment 4•11 years ago
|
||
No, definitely John. See bug 457825 for the discussion.
Flags: needinfo?(jfkthame)
Comment 5•11 years ago
|
||
Maybe the right answer is that we should use a different principal for the CheckMayLoad check and the content policy check. That has an immediate smell to me, though...
Comment 6•8 years ago
|
||
From the CSS Fonts spec: https://drafts.csswg.org/css-fonts/#font-fetching-requirements "When fetching, user agents must use "Anonymous" mode, set the referrer source to the stylesheet's URL and set the origin to the URL of the containing document."
Flags: needinfo?(jd.bugzilla)
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•