Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Please update CSP with new avatar URL #817

Closed
clouserw opened this issue Apr 26, 2021 · 3 comments
Closed

Please update CSP with new avatar URL #817

clouserw opened this issue Apr 26, 2021 · 3 comments
Assignees
@maxxcrawford
Labels
🐛 bug Something isn't working 🕸 website

Comments

@clouserw
Copy link
Member

clouserw commented Apr 26, 2021
edited
Loading

Reported on Slack:

Relay is blocking the avatar URL from FxA:

Content Security Policy: The page’s settings blocked the loading of a resource at https://profile.accounts.firefox.com/v1/avatar/w (“img-src”).

Resulting in mis-rendering of the account menu in the top left.
image

The fix is to add profile.accounts.firefox.com to the img-src CSP rule
@maxxcrawford maxxcrawford self-assigned this Apr 26, 2021
maxxcrawford added a commit that referenced this issue Apr 28, 2021
@maxxcrawford
Fix #817 - Update CSP to allow profile images
68ba615
@maxxcrawford maxxcrawford linked a pull request Apr 29, 2021 that will close this issue
Fix #817 - Update CSP to allow profile images #820
Closed
@maxxcrawford
Copy link
Contributor

@clouserw I'm having issues recreating this issue. Here's where we set the CSP policy for the profile images. We're using django-csp to manage it. From what I can determine, we're correctly setting the img-src policy.

@tcinotto Can you provide more details on where you were getting this error? I may need to work with you directly to debug/reproduce this.

@clouserw
Copy link
Member Author

It looks like @groovecoder fixed this in abf32ec

If that commit is already live, maybe there is some caching going on? I can still reproduce as of this morning. Steps:

  1. Make sure you don't have an avatar in FxA. You can check by logging into accounts.firefox.com. The avatar is the top of the page. If it is unset it should be a letter in a circle.

  2. Log in to relay.firefox.com

  3. See the missing avatar in the top right of the page. See in console: Content Security Policy: The page’s settings blocked the loading of a resource at https://profile.accounts.firefox.com/v1/avatar/w (“img-src”).

image

@maxxcrawford maxxcrawford added cannot-reproduce Cannot reproduce the issue as described. and removed cannot-reproduce Cannot reproduce the issue as described. labels May 5, 2021
@maxxcrawford
Copy link
Contributor

@clouserw Thanks for the follow up – I had a profile image. Confirmed. I would imagine the caching would no longer be an issue, so I'll keep digging.

@groovecoder groovecoder added 🐛 bug Something isn't working 🕸 website labels May 11, 2021
maxxcrawford added a commit that referenced this issue May 25, 2021
@maxxcrawford
Fix #817 - Remove map function, set URLs directly
93391d0
maxxcrawford added a commit that referenced this issue May 25, 2021
@maxxcrawford
Fix #817 - Add additional avatar URLs to IMG CSP
91edc30
groovecoder added a commit that referenced this issue May 27, 2021
@groovecoder
Merge pull request #840 from mozilla/817-csp-fxa
1a41e85 
Fix #817 - Remove map function, set URLs directly
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@maxxcrawford maxxcrawford

Labels
🐛 bug Something isn't working 🕸 website
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix #817 - Update CSP to allow profile images mozilla/fx-private-relay
3 participants
@groovecoder @clouserw @maxxcrawford