Rechercher dans l’assistance

Évitez les escroqueries à l’assistance. Nous ne vous demanderons jamais d’appeler ou d’envoyer un SMS à un numéro de téléphone ou de partager des informations personnelles. Veuillez signaler toute activité suspecte en utilisant l’option « Signaler un abus ».

Learn More

Implications of enabling security.csp.enableNavigateTo

  • 3 réponses
  • 0 a ce problème
  • 1 vue
  • Dernière réponse par cor-el

more options

I occasionally use a site (www.zoomcare.com) which does not work properly with Firefox (I've been using Microsoft Edge (Windows 10) to access it). The problem comes when I try to login. I enter my username and password, and that brings up a blank page that does not redirect to anything, so I'm stuck.

Just out of curiousity, I was looking through Advanced Settings, and found security.csp.enableNavigateTo. It has been set to false, but when I set it to true, I am able to successfully login (I still go to the blank page, but after a brief pause, I'm redirected to a logged-in page).

I'd like to know something about the security implications of enabling this property. Is it a bad idea? (Not knowing, I've set it back to false and will continue to use Edge for now).

I occasionally use a site (www.zoomcare.com) which does not work properly with Firefox (I've been using Microsoft Edge (Windows 10) to access it). The problem comes when I try to login. I enter my username and password, and that brings up a blank page that does not redirect to anything, so I'm stuck. Just out of curiousity, I was looking through Advanced Settings, and found security.csp.enableNavigateTo. It has been set to false, but when I set it to true, I am able to successfully login (I still go to the blank page, but after a brief pause, I'm redirected to a logged-in page). I'd like to know something about the security implications of enabling this property. Is it a bad idea? (Not knowing, I've set it back to false and will continue to use Edge for now).

Solution choisie

From Bug 1793560 regarding security.csp.enableNavigateTo:

There are concerns about leaking redirect & cross-origin information and the editors suggest removing it from the specification
It has never shipped in Firefox (or any browser) after being implemented years ago, and was removed from spec in September 2022:

Does it still happen in a new profile? An easy way to test a new profile is to install Developer Edition and see if it happens there or refresh your existing profile.

Lire cette réponse dans son contexte 👍 0

Toutes les réponses (3)

more options

Solution choisie

From Bug 1793560 regarding security.csp.enableNavigateTo:

There are concerns about leaking redirect & cross-origin information and the editors suggest removing it from the specification
It has never shipped in Firefox (or any browser) after being implemented years ago, and was removed from spec in September 2022:

Does it still happen in a new profile? An easy way to test a new profile is to install Developer Edition and see if it happens there or refresh your existing profile.

more options

Thanks for the reply. I've just discovered something which I should have checked before posting here. Although logging in sends me to the blank page, if I manually use the back button to go back to the login page, I am given the logged-in page (not prompted to login again). So I guess logging-in is successfully setting a cookie, even though redirection isn't working (?). Anyway, this is a good enough solution for a site I don't often use, so I consider this issue resolved.

more options

Is there anything relevant in the Web Console?

Start Firefox in Troubleshoot Mode to check if one of the extensions ("3-bar" menu button or Tools -> Add-ons -> Extensions) or if hardware acceleration or if userChrome.css/userContent.css is causing the problem.

  • switch to the Default System theme: "3-bar" menu button or Tools -> Add-ons -> Themes
  • do NOT click the "Refresh Firefox" button on the Troubleshoot Mode start window