Reduced with m-c: BuildID=20181101133336 SourceStamp=182a1b088330a2d72310ae2561004d955571e236 I'm not sure what the security impact is here so marking as s-s. Feel free to open it if appropriate. Assertion failure: parsedPolicyStr.Find("default-src") >= 0 (about: page must contain a CSP including default-src), at src/dom/base/nsDocument.cpp:5382 #0 AssertAboutPageHasCSP(nsIURI*, nsIPrincipal*) src/dom/base/nsDocument.cpp:5381:3 #1 nsDocument::EndLoad() src/dom/base/nsDocument.cpp:5392:5 #2 nsHTMLDocument::EndLoad() src/dom/html/nsHTMLDocument.cpp:844:15 #3 nsXMLContentSink::DidBuildModel(bool) src/dom/xml/nsXMLContentSink.cpp:338:16 #4 nsParser::DidBuildModel(nsresult) src/parser/htmlparser/nsParser.cpp:492:37 #5 nsParser::Terminate() src/parser/htmlparser/nsParser.cpp:605:5 #6 nsParser::Tokenize(bool) src/parser/htmlparser/nsParser.cpp:1550:20 #7 nsParser::ResumeParse(bool, bool, bool) src/parser/htmlparser/nsParser.cpp:1057:41 #8 nsParser::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/parser/htmlparser/nsParser.cpp:1477:10 #9 nsDocumentOpenInfo::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/uriloader/base/nsURILoader.cpp:368:15 #10 nsJARChannel::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/modules/libjar/nsJARChannel.cpp:1175:20 #11 non-virtual thunk to nsJARChannel::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/modules/libjar/nsJARChannel.cpp #12 nsInputStreamPump::OnStateStop() src/netwerk/base/nsInputStreamPump.cpp:706:20 #13 nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) src/netwerk/base/nsInputStreamPump.cpp:436:25 #14 non-virtual thunk to nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) src/netwerk/base/nsInputStreamPump.cpp #15 nsInputStreamReadyEvent::Run() src/xpcom/io/nsStreamUtils.cpp:102:20 #16 nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1245:14 #17 NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:530:10 #18 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21 #19 MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:325:10 #20 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298:3 #21 nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:158:27 #22 XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:939:22 #23 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:269:9 #24 MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:325:10 #25 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298:3 #26 XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:765:34 #27 content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30 #28 main src/browser/app/nsBrowserApp.cpp:301:18 #29 __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #30 _start (firefox+0x329f4)

Thanks for filing Tyson. There is no need this bug needs to be hidden, hence I am opening it up. A little bit of background: Ultimately we would like that all about: pages ship with a CSP attached and we also want to make sure that no new about: pages can be added to our codebase without having a CSP attached (See Bug 1492063 and friends). The attached testcase does not trigger the assertion all of the time, and I guess that is due to window.stop(). If at that time about:neterror (aboutNetError.xhtml) has fully loaded than we already have a CSP attached (because about:neterror ships with a meta CSP). If not, then the assertion is triggered. We already had similar problems with the assertion being too aggressive hence we started to assert only if |!mParserAborted| (see Bug 1459544), meaning the document needs to be fully loaded, not being aborted during load. My guess is that window.stop() does not set the mParserAborted flag. Not sure if we need to trace this one down or not. Regarding the security implications: I guess we could WONTFIX this bug, because the assertion triggers correctly. We could make the assertion a little less aggressive by not asserting if window.stop() was called, but not sure if it's really worth doing either.

We discussed that bug in the triage meeting. Since this assertion only ensures that all about: pages ship with a CSP we can ignore that cornercase and mark this bug as a WONTFIX. If needed for fuzzing, please just whitelist the assertion of flip the pref "csp.skip_about_page_has_csp_assert".