Daniel Veditz [:dveditz] Reporter
	Description • 9 years ago

+++ This bug was initially created as a clone of Bug #1198078 +++

Bug 1198078 points out that serviceWorkers don't honor the mixed content blocker, but they don'tt appear to call _any_ content policy type things.

Content-security-policy we know about already, but there's a whole slew of add-ons dependent on nsIContentPolicy, such as NoScript and ad-blockers.

We also don't appear to be running loads through safe Browsing checks, which I think are separate from the nsIContentPolicy checks.

	Ben Kelly [:bkelly, not reviewing]
	Comment 1 • 9 years ago

I think bholley is fixing this over in bug 1189668.  Or is this a different problem?

	(no longer active)
	Comment 2 • 9 years ago

I think bug 1189668 is only about respondWith().

	(no longer active)
	Comment 3 • 9 years ago

(In reply to Daniel Veditz [:dveditz] from comment #0)
> Bug 1198078 points out that serviceWorkers don't honor the mixed content
> blocker, but they don'tt appear to call _any_ content policy type things.

They do: <https://hg.mozilla.org/mozilla-central/rev/3ca0821a9b05#l11.27>

Note that the code above deals with loading the SW script itself, and importScripts().  I'm not really sure what cases you're talking about here though.  Can you please clarify?

> Content-security-policy we know about already, but there's a whole slew of
> add-ons dependent on nsIContentPolicy, such as NoScript and ad-blockers.

I think the call above is sufficient for all of these cases, isn't it?

> We also don't appear to be running loads through safe Browsing checks, which
> I think are separate from the nsIContentPolicy checks.

Do you know how that is integrated with normal loads?

	Daniel Veditz [:dveditz] Reporter
	Comment 4 • 9 years ago

(In reply to Ehsan Akhgari (don't ask for review please) from comment #3)
> (In reply to Daniel Veditz [:dveditz] from comment #0)
> > they don'tt appear to call _any_ content policy type things.
> 
> They do: <https://hg.mozilla.org/mozilla-central/rev/3ca0821a9b05#l11.27>

You're right: the script loader above does, and by way of using the normal XHR that's covered, too. The fetch() algorithm has hooks for CSP and hopefully we're doing so by calling generic nsIContentPolicy so that should be covered.

> > We also don't appear to be running loads through safe Browsing checks, which
> > I think are separate from the nsIContentPolicy checks.
> 
> Do you know how that is integrated with normal loads?

Looks like that's built into the HTTP Channel code these days so my concern was unwarranted paranoia on that point too.

	(no longer active)
	Comment 5 • 9 years ago

(In reply to Daniel Veditz [:dveditz] from comment #4)
> (In reply to Ehsan Akhgari (don't ask for review please) from comment #3)
> > (In reply to Daniel Veditz [:dveditz] from comment #0)
> > > they don'tt appear to call _any_ content policy type things.
> > 
> > They do: <https://hg.mozilla.org/mozilla-central/rev/3ca0821a9b05#l11.27>
> 
> You're right: the script loader above does, and by way of using the normal
> XHR that's covered, too. The fetch() algorithm has hooks for CSP and
> hopefully we're doing so by calling generic nsIContentPolicy so that should
> be covered.

Yes, fetch() should do the right thing as well: <http://mxr.mozilla.org/mozilla-central/source/dom/fetch/FetchDriver.cpp#113>.  Note that we shipped fetch() in 39, I think.

> > > We also don't appear to be running loads through safe Browsing checks, which
> > > I think are separate from the nsIContentPolicy checks.
> > 
> > Do you know how that is integrated with normal loads?
> 
> Looks like that's built into the HTTP Channel code these days so my concern
> was unwarranted paranoia on that point too.

OK, np!

Can we mark this as a dupe of bug 1189668?

	Daniel Veditz [:dveditz] Reporter
	Comment 6 • 9 years ago

A dupe of /something/ anyway. See CSP-2 dependencies like bug 929292 and bug 959388.