Opened on 08/20/2018 at 01:49:22 PM

Closed on 08/27/2018 at 04:29:26 PM

Last modified on 10/17/2018 at 02:50:13 PM

#6871 closed defect (fixed)

Extension incorrectly accepts $csp filters with blank value

Reported by: Ross Assignee: jsonesen
Priority: P2 Milestone:
Module: Core Keywords:
Cc: kzar, sebastian, hfiguiere, mjethani, jsonesen Blocked By:
Blocking: Platform: Unknown / Cross platform
Ready: yes Confidential: no
Tester: Ross Verified working: yes
Review URL(s):

Description (last modified by mjethani)


Chrome 68 / 55 / Windows 10
Firefox 51 / Windows 10

Reproduced in 3.2.

How to reproduce

  1. Add the filter *$csp=

Observed behaviour

The filter is accepted.

Expected behaviour

According to #6733, blank values should be allowed for the $rewrite filter, but not for the $domain, $sitekey or $csp filters. The $domain and $sitekey filter options error on blank value as expected.

Hints for testers

Test that CSP filters work in general as expected but no longer accept blank values. If a filter contains a blank value for the $csp option, it should be ignored. This can be verified by writing such a filter and checking the DevTools console for the error Invalid header specification '{"name":"Content-Security-Policy"}'; after this change, no such error should appear in the DevTools console.

Known issues

This change introduced the regression described in #7043. Whitelist CSP filters should be able to have blank values.

Attachments (0)

Change History (12)

comment:1 Changed on 08/20/2018 at 01:49:49 PM by Ross

This is not a regression (it occurs in 3.2) but goes against what is in the 3.3 ticket (#6733).

comment:2 Changed on 08/20/2018 at 04:06:05 PM by mjethani

The web extension even tries to inject the CSP header and gets this error from the browser: Unchecked runtime.lastError while running webRequestInternal.eventHandled: Invalid header specification '{"name":"Content-Security-Policy"}'

comment:3 Changed on 08/20/2018 at 04:06:32 PM by mjethani

  • Component changed from Unknown to Core
  • Priority changed from Unknown to P2
  • Ready set

comment:4 Changed on 08/20/2018 at 04:06:56 PM by mjethani

  • Cc jsonesen added

comment:5 Changed on 08/20/2018 at 06:15:46 PM by jsonesen

  • Owner set to jsonesen

comment:6 Changed on 08/21/2018 at 07:23:28 PM by jsonesen

Last edited on 08/21/2018 at 07:25:59 PM by jsonesen

comment:7 Changed on 08/22/2018 at 07:51:19 PM by jsonesen

  • Review URL(s) modified (diff)
  • Status changed from new to reviewing

comment:8 Changed on 08/25/2018 at 07:38:41 AM by abpbot

A commit referencing this issue has landed:
Issue 6871 - Reject filters with blank CSPs

comment:9 Changed on 08/27/2018 at 04:29:26 PM by jsonesen

  • Resolution set to fixed
  • Status changed from reviewing to closed

comment:10 Changed on 08/28/2018 at 09:15:13 AM by mjethani

  • Description modified (diff)

comment:11 Changed on 10/15/2018 at 08:33:23 PM by mjethani

  • Description modified (diff)

comment:12 Changed on 10/17/2018 at 02:50:13 PM by Ross

  • Tester changed from Unknown to Ross
  • Verified working set


Firefox 62 / 51 / Windows 10
Chrome 69 / 49 / Windows 10
Opera 56 / 36 / Windows 10

Add Comment

Modify Ticket

Change Properties
as closed .
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from jsonesen.
Note: See TracTickets for help on using tickets.