CSP errors loading fonts on stage deployments #9869
Comments
|
This happens all the time. I've made sure I don't have any Inter, Zilla et al. installed locally to avoid false positives, and no matter how I browse or refresh, all I get is a basic sans-serif. No surprise here, Either the assets need to be linked just from / root without the server part, or the font-src CSP has to be augmented the same way style-src or default-src is today. (Maybe when addressing #14082 or #11943 one day this could be fixed with it…) |
|
I think i'm going to need to cover this as part of #14451 else we'll have the integration tests setting off alarm bells every time |
|
@stevejalim I'll quickly open a PR trying to fix this for moz.works or run.app URLs, you can try to deploy it to some of the demos to check the new CSP policy live. |
|
@janbrasna Thanks but that is maybe going to overlap with the work I'd started on this. Will take a look later and confirm either way |
|
@stevejalim No worries, I'm avoiding any lines you're working on, and eventually the PR could merge with #14453 without conflicts — I'm only trying this as PoC to get around the violations in the most simple way possible to get the noise out of reporting, without being too obnoxious in production (for both mozorg & pocket that share the same code for merging the rules). You'll find some notes to consider when you get to it… |
|
@janbrasna I don't think you can see the existence of our k8s config repo, but adding the extra That said, I don't yet know if we'll also still need bedrock-side change if font-src somehow does not draw from default-src. Will explore but feel free to throw up a draft PR. Cheers! |
|
@stevejalim The explainer is there: #14466 — basically two things: |
|
@alexgibson This is now on staging https://bedrock-stage.gcp.moz.works/ (and coincidentally already in prod, and neither mozorg nor pocket imploded so that's a good sign;D) and the fonts there seem to be working consistently for me in nightly geckos & webkits — could you please confirm that the intermittent issues you've kept seeing are resolved now? |
|
The CSP errors are gone but are now replaced by a bunch of CORS errors. So I agree this bug is fixed, but now presented by a new problem :) |
|
💩 Ah yea, I had overrides for missing origin allows and focused only on the CSP reporting — sorry I totally forgot about these. You probably know where in the dev deployment configs this could end up if/when truly needed, I only tackled django/app specifics to close the gaps bedrock-side. There's #13940 for staging CORS et al. |
|
So I went on to take a better look at what hostnames are being used in tests and what that means for fetch/anon resources, and the issue is slightly bigger. TL;DR it would help if "relative" assets could be linked without the explicit hostname (like it does when run locally; or if in non-prod mode the app would use the request hostname as its hostname it uses for constructing URLs). Because even if you allow wildcard origins in dev (or mirror the one from request origin, if you feel like keeping a restricted list of origins to let mirror back in responses), you'd still get BTW the weirdest results are for manual pushes to integration tests branch, that run from yet another env |
Description
When viewing stage deployments directly (e.g. at https://bedrock-stage.gcp.moz.works/en-US/) something a bit strange is happening with web font loading. Fonts still seem to load eventually, but often the first request seems to get blocked due to a CSP error e.g.
Steps to reproduce
Visit: https://bedrock-stage.gcp.moz.works/en-US/
Expected result
Web fonts should load the same without error, as when viewing https://www.allizom.org/en-US/
Actual result
The first request for each font seems to get blocked.
Environment
Firefox Nightly
The text was updated successfully, but these errors were encountered: