Open Bug 931107 Opened 11 years ago Updated 2 years ago

ShouldLoad inconsistency of aRequestingLocation between images and fonts requested from css files

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Type:
defect

Tracking

()

People

(Reporter: ckerschb, Unassigned)

Details

When working on Bug 909920 we realized that |aRequestingLocation| in ShouldLoad is different when loading images and fonts from a CSS file.

For images:
   http://people.mozilla.org/~tvyas/darkreading.html
aRequestingLocation is the CSS file.

For fonts:
   http://people.mozilla.org/~tvyas/darkreading-font2.html
aRequestingLocation in the HTML file.

We think aRequestingLocation should be the CSS file in both cases.
Also, when you import css from css, I believe aRequestingLocation is the CSS file.
http://people.mozilla.org/~tvyas/darkreading-style.html

Christoph can confirm.
Summary: ShouldLoad inconsistency of aRequestingLocation between images and fonts → ShouldLoad inconsistency of aRequestingLocation between images and fonts requested from css files
I believe for fonts the HTML file was purposefully chosen because of the security-check behavior we wanted here.  John should have the details...
Flags: needinfo?(jdaggett)
Hrm, or maybe this part was Jonathan, actually, looking at the blame.
Flags: needinfo?(jfkthame)
No, definitely John.

See bug 457825 for the discussion.
Flags: needinfo?(jfkthame)
Maybe the right answer is that we should use a different principal for the CheckMayLoad check and the content policy check.  That has an immediate smell to me, though...
From the CSS Fonts spec:

https://drafts.csswg.org/css-fonts/#font-fetching-requirements

 "When fetching, user agents must use "Anonymous" mode, set the
  referrer source to the stylesheet's URL and set the origin to
  the URL of the containing document."
Flags: needinfo?(jd.bugzilla)
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.