Bug #131
accounts-fedoraproject-org-fix works with Haketilo 2.0, but not Haketilo 3.0b1
100%
Description
I was playing around with Haketilo 3.0b1 and the Epiphany web browser (which doesn't itself support disabling JavaScript), and I noticed the Fedora account registration fix does not properly enable changing between the "Login" and "Register" tab, as is required for registration. I later tested this in a clean Abrowser proflile (with the only settings change to connect to the proxy), and I found the same issue.
I wasn't sure whether to mark this as a bug with this specific site fix or a bug with the proxy, but I think it's more likely to be a proxy bug because the fix still works with Haketilo 2.0 (as far as I can tell without actually registering).
Here's a log from the Abrowser developer console on the clean profile configured to connect to the Haketilo proxy (which is running via the relocatable binary):
Content Security Policy: Not supporting directive ‘script-src-elem’. Directive and values will be ignored. Content Security Policy: Not supporting directive ‘script-src-attr’. Directive and values will be ignored. Content Security Policy: Not supporting directive ‘script-src-elem’. Directive and values will be ignored. Content Security Policy: Not supporting directive ‘script-src-attr’. Directive and values will be ignored. Loading failed for the <script> with source “https://accounts.fedoraproject.org/theme/static/js/jquery/jquery-3.3.1.min.js”. accounts.fedoraproject.org:346:1 Loading failed for the <script> with source “https://accounts.fedoraproject.org/theme/static/js/fedora-bootstrap/fedora-bootstrap.min.js”. accounts.fedoraproject.org:347:1 Content Security Policy: The page’s settings blocked the loading of a resource at https://accounts.fedoraproject.org/theme/static/js/jquery/jquery-3.3.1.min.js (“script-src”). Content Security Policy: The page’s settings blocked the loading of a resource at https://accounts.fedoraproject.org/theme/static/js/fedora-bootstrap/fedora-bootstrap.min.js (“script-src”). Content Security Policy: The page’s settings blocked the loading of a resource at https://accounts.fedoraproject.org/-0OvafBtud0/api/page_init_script.js (“script-src”). Content Security Policy: The page’s settings blocked the loading of a resource at https://accounts.fedoraproject.org/-0OvafBtud0/static/accounts-fedoraproject-org-fix/fedoraaccounts.js (“script-src”). Loading failed for the <script> with source “https://accounts.fedoraproject.org/-0OvafBtud0/api/page_init_script.js”. accounts.fedoraproject.org:353:1 Loading failed for the <script> with source “https://accounts.fedoraproject.org/-0OvafBtud0/static/accounts-fedoraproject-org-fix/fedoraaccounts.js”. accounts.fedoraproject.org:353:1
I have attached a HAR file that corresponds to the above log.
I suspect the issue has something to do with the website's actual CSP headers, and Haketilo isn't properly removing the ones that would block the injected scripts? But that's just a guess.
I told Haketilo to enable the fix when it asked the first time I went to the page while connected to the proxy (This was with Epiphany, but I wouldn't think that would matter.).
Files
History
Updated by koszko 11 months ago
I see where the bug is. I indeed failed to remove the original CSP of the page. If you look at the HTTP response, you'll see 2 CSP headers.
content-security-policy: default-src 'self'; script-src 'strict-dynamic' 'nonce-9JqJAHhiLSWHWgcsPqXN-_I1IgLKA2xb'; img-src 'self' seccdn.libravatar.org pagure.io; style-src 'self' 'nonce-9JqJAHhiLSWHWgcsPqXN-_I1IgLKA2xb' content-security-policy: script-src https://accounts.fedoraproject.org/-0OvafBtud0/; script-src-elem 'none'; script-src-attr 'none'
The first one comes from the site. The one at the bottom comes from the proxy.
I can't believe I committed such a big overlooking :o Anyway, my CSP handling code wasn't super-clean either so I refactored it last week. The fix seems to work properly with the current version. You can try building Haketilo from git checkout (as suggested in the other issue) or you can wait for 3.0-beta2 to have things work more smoothly. I intend to upload beta2 before the end of this month (i.e. before NLnet grant ends)
Updated by koszko 10 months ago
- % Done changed from 0 to 100
- Status changed from New to Closed
jacobk wrote:
Yep, after building with the latest koszko branch, the Fedora account page seems to work fine (I didn't actually try to register, but the tabs work fine.).
Actually, I recall tabs were the only thing that had to be fixed there :) Anyway, I assume I can close this now