Opened on 08/20/2018 at 03:26:28 PM
Closed on 08/29/2019 at 05:43:18 PM
#6873 closed defect (rejected)
$csp filter can make CSP options more insecure on Firefox 55 / 51
Reported by: | Ross | Assignee: | |
---|---|---|---|
Priority: | Unknown | Milestone: | |
Module: | Platform | Keywords: | closed-in-favor-of-gitlab |
Cc: | kzar, sebastian, hfiguiere, mjethani | Blocked By: | |
Blocking: | Platform: | Unknown / Cross platform | |
Ready: | no | Confidential: | no |
Tester: | Unknown | Verified working: | no |
Review URL(s): |
Description
Environment
ABP 3.2.0.2103
Firefox 55 / 51 / Windows 10
Could not reproduce in Chrome or Firefox 61.
Also occurs in ABP 3.2.
How to reproduce
- Navigate to https://csp.kzar.co.uk/?csp=frame-src%20%27none%27
- Add filter ||csp.kzar.co.uk^$csp=http:
Observed behaviour
The frame on the page loads because the filter seems to have overridden the frame-src 'none' with 'http'.
Expected behaviour
The frame should not load. In Chrome 68/55/51 and Firefox 61, the frame does not load as expected.
Attachments (0)
Change History (4)
comment:1 Changed on 08/20/2018 at 03:27:07 PM by Ross
comment:2 Changed on 08/20/2018 at 04:14:08 PM by mjethani
FYI unable to reproduce this on Firefox 59.
Also, as for the fix for this, we might just want to ignore CSP filters on older versions of Firefox that have this problem.
comment:3 Changed on 08/20/2018 at 04:14:25 PM by mjethani
- Component changed from Unknown to Platform
comment:4 Changed on 08/29/2019 at 05:43:18 PM by sebastian
- Keywords closed-in-favor-of-gitlab added
- Resolution set to rejected
- Status changed from new to closed
Sorry, but we switched to GitLab. If this issue is still relevant, please file it again in the new issue tracker.
This also occurs in 3.2 so is not a regression for 3.3.