Closed
Bug 978243
Opened 11 years ago
Closed 11 years ago
CSP is blocking of loading of resources from Google analytics
Categories
(Marketplace Graveyard :: Consumer Pages, defect, P2)
Tracking
(Not tracked)
VERIFIED
FIXED
2014-04-01
People
(Reporter: krupa.mozbugs, Assigned: clouserw)
Details
steps to reproduce:
1. Load https://marketplace-dev.allizom.org/app/keeper-web-app?src=featured
observed behavior:
Console shows-
Content Security Policy: The page's settings blocked the loading of a resource at https://www.google-analytics.com/collect?v=1&_v=j16&a=1520330904&t=pageview&_s=2&dl=https%3A%2F%2Fmarketplace-dev.allizom.org%2Fcategory%2Fall%2Ffeatured%3Fsrc%3Dcategory-featured&dp=%2Fapp%2Fkeeper-web-app%3Fsrc%3Dfeatured&ul=en-us&de=UTF-8&dt=Loading...%20%7C%20Firefox%20Marketplace&sd=24-bit&sr=1440x900&vp=1425x241&je=1&fl=12.0%20r0&_utma=117863061.171611314.1393525280.1393546987.1393619927.5&_utmz=117863061.1393525280.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)&_utmht=1393619930344&_u=eIAC~&cid=hs57t4er.les&tid=UA-36116321-11&z=1558895468 ("img-src https://marketplace-dev.allizom.org:443 http://dev1.addons.phx1.mozilla.com:80 https://www.google.com:443 https://mozorg.cdn.mozilla.net:443 http://mozorg.cdn.mozilla.net:80 https://www.getpersonas.com:443 https://ssl.google-analytics.com:443 http://www.google-analytics.com:80 data://*:* https://marketplace-dev-cdn.allizom.org:443").
|
||
Comment 1•11 years ago
|
||
Looks like the GA domain has changed? Unsure. CCing Davor since he worked on this. Probably a serious issue.
Priority: -- → P2
|
|
||
Comment 2•11 years ago
|
||
Our CSP:
allow 'self'; img-src 'self' http://dev1.addons.phx1.mozilla.com https://www.google.com https://mozorg.cdn.mozilla.net http://mozorg.cdn.mozilla.net https://www.getpersonas.com https://ssl.google-analytics.com http://www.google-analytics.com data: https://marketplace-dev-cdn.allizom.org; script-src 'self' http://dev1.addons.phx1.mozilla.com https://www.google.com https://mozorg.cdn.mozilla.net http://mozorg.cdn.mozilla.net https://login.persona.org https://firefoxos.persona.org https://www.paypalobjects.com https://ssl.google-analytics.com http://www.google-analytics.com https://marketplace-dev-cdn.allizom.org; object-src 'none'; media-src 'none'; frame-src https://s3.amazonaws.com https://ssl.google-analytics.com https://login.persona.org https://firefoxos.persona.org https://www.youtube.com; font-src 'self' fonts.mozilla.org www.mozilla.org https://marketplace-dev-cdn.allizom.org; style-src 'self' http://dev1.addons.phx1.mozilla.com https://mozorg.cdn.mozilla.net http://mozorg.cdn.mozilla.net http://raw.github.com https://raw.github.com https://marketplace-dev-cdn.allizom.org; frame-ancestors 'self'; report-uri /services/csp/report
So it looks like we need to remove 'https://ssl.google-analytics.com' and add 'https://www.google-analytics.com'.
Not sure who the right person is for this. Nice find though krupa.
|
Assignee | |
Comment 3•11 years ago
|
||
|
|
Assignee | |
Comment 4•11 years ago
|
||
Assignee: nobody → clouserw
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → 2014-04-01
|
||
Comment 5•11 years ago
|
||
Resources from Google Analytics are not blocked anymore by CSP
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•