Opened 4 months ago

Closed 4 months ago

Last modified 8 weeks ago

#6871 closed defect (fixed)

Extension incorrectly accepts $csp filters with blank value

Reported by: Ross Assignee: jsonesen
Priority: P2 Milestone:
Module: Core Keywords:
Cc: kzar, sebastian, hfiguiere, mjethani, jsonesen Blocked By:
Blocking: Platform: Unknown / Cross platform
Ready: yes Confidential: no
Tester: Ross Verified working: yes
Review URL(s):

Description (last modified by mjethani)


Chrome 68 / 55 / Windows 10
Firefox 51 / Windows 10

Reproduced in 3.2.

How to reproduce

  1. Add the filter *$csp=

Observed behaviour

The filter is accepted.

Expected behaviour

According to #6733, blank values should be allowed for the $rewrite filter, but not for the $domain, $sitekey or $csp filters. The $domain and $sitekey filter options error on blank value as expected.

Hints for testers

Test that CSP filters work in general as expected but no longer accept blank values. If a filter contains a blank value for the $csp option, it should be ignored. This can be verified by writing such a filter and checking the DevTools console for the error Invalid header specification '{"name":"Content-Security-Policy"}'; after this change, no such error should appear in the DevTools console.

Known issues

This change introduced the regression described in #7043. Whitelist CSP filters should be able to have blank values.

Change History (12)

comment:1 Changed 4 months ago by Ross

This is not a regression (it occurs in 3.2) but goes against what is in the 3.3 ticket (#6733).

comment:2 Changed 4 months ago by mjethani

The web extension even tries to inject the CSP header and gets this error from the browser: Unchecked runtime.lastError while running webRequestInternal.eventHandled: Invalid header specification '{"name":"Content-Security-Policy"}'

comment:3 Changed 4 months ago by mjethani

  • Component changed from Unknown to Core
  • Priority changed from Unknown to P2
  • Ready set

comment:4 Changed 4 months ago by mjethani

  • Cc jsonesen added

comment:5 Changed 4 months ago by jsonesen

  • Owner set to jsonesen

comment:6 Changed 4 months ago by jsonesen

Last edited 4 months ago by jsonesen (previous) (diff)

comment:7 Changed 4 months ago by jsonesen

  • Review URL(s) modified (diff)
  • Status changed from new to reviewing

comment:8 Changed 4 months ago by abpbot

A commit referencing this issue has landed:
Issue 6871 - Reject filters with blank CSPs

comment:9 Changed 4 months ago by jsonesen

  • Resolution set to fixed
  • Status changed from reviewing to closed

comment:10 Changed 4 months ago by mjethani

  • Description modified (diff)

comment:11 Changed 2 months ago by mjethani

  • Description modified (diff)

comment:12 Changed 8 weeks ago by Ross

  • Tester changed from Unknown to Ross
  • Verified working set


Firefox 62 / 51 / Windows 10
Chrome 69 / 49 / Windows 10
Opera 56 / 36 / Windows 10

Note: See TracTickets for help on using tickets.