-
Notifications
You must be signed in to change notification settings - Fork 140
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Invalid CSP not detected #2634
Comments
@erosman to make it easier for someone who doesn't necessarily have reviewer access, would it be possible for you to provide more info in the bug report rather than link to reviewer pages? |
@muffinresearch The relevant information that was included in the post is: That can be tested by entering it into any manifest.json Furthermore, the developer link was given for the validator result which is not on reviewers interface. Can't it be accessed by the dev team? The addon in question is: Please let me know if further information is required. |
@erosman If you assume minimal prior knowledge then that would make for a better bug report. As originally filed any reader is having to guess at the what the issue you're reporting actually is. The template for bug reports has headings to help here, e.g. "Describe the problem and steps to reproduce it", "What happened?", "What did you expect to happen?" and so on. In addition a screenshot of the specific error in this case would help a lot for clarity and immediacy. |
I assumed developers have access to That was the reason I thought giving a link would resolve any queries. For example: #2114 #2086 #1943 #1708 #1767 #1547 ........ etc I also left a ping for Andreas who does have access to all those. In fact the bug is aimed at the review admin to follow up on. |
Yes, validation reports should be accessible. However, currently there's not enough information so that the reader (who may not be an admin reviewer) understands why it's a problem and what the expected change would be.
If the issue has more context from the start this helps us to immediately understand the intent of the issue and how to go about fixing it, which benefits us all. |
As evident from the posted snippet, there is no allowance remote code execution
Only 1 message relates to CPS and this bug report.
As per topic title, it is a false report. Just looking at the corresponding code snippet that was posted in the first post, i.e. |
@erosman Isn't this an invalid CSP - this is missing the On that basis fixing this should be about detecting the invalid CSP and showing a relevant warning for that. Attached is a test-case that reproduces the problem. |
Indeed it is and the error should indicate CSP error/invalid instead of |
This issue has been automatically marked as stale because it has not had recent activity. If you think this bug should stay open, please comment on the issue with further details. Thank you for your contributions. |
ref:
manifest.json
@wagnerand
The text was updated successfully, but these errors were encountered: