Open Bug 931107 Opened 12 years ago Updated 3 years ago

ShouldLoad inconsistency of aRequestingLocation between images and fonts requested from css files

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Type:
defect

Tracking

()

People

(Reporter: ckerschb, Unassigned)

Details

When working on Bug 909920 we realized that |aRequestingLocation| in ShouldLoad is different when loading images and fonts from a CSS file. For images: http://people.mozilla.org/~tvyas/darkreading.html aRequestingLocation is the CSS file. For fonts: http://people.mozilla.org/~tvyas/darkreading-font2.html aRequestingLocation in the HTML file. We think aRequestingLocation should be the CSS file in both cases.
Also, when you import css from css, I believe aRequestingLocation is the CSS file. http://people.mozilla.org/~tvyas/darkreading-style.html Christoph can confirm.
Summary: ShouldLoad inconsistency of aRequestingLocation between images and fonts → ShouldLoad inconsistency of aRequestingLocation between images and fonts requested from css files
I believe for fonts the HTML file was purposefully chosen because of the security-check behavior we wanted here. John should have the details...
Flags: needinfo?(jdaggett)
Hrm, or maybe this part was Jonathan, actually, looking at the blame.
Flags: needinfo?(jfkthame)
No, definitely John. See bug 457825 for the discussion.
Flags: needinfo?(jfkthame)
Maybe the right answer is that we should use a different principal for the CheckMayLoad check and the content policy check. That has an immediate smell to me, though...
From the CSS Fonts spec: https://drafts.csswg.org/css-fonts/#font-fetching-requirements "When fetching, user agents must use "Anonymous" mode, set the referrer source to the stylesheet's URL and set the origin to the URL of the containing document."
Flags: needinfo?(jd.bugzilla)
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.