Implications of enabling security.csp.enableNavigateTo
I occasionally use a site (www.zoomcare.com) which does not work properly with Firefox (I've been using Microsoft Edge (Windows 10) to access it). The problem comes when I try to login. I enter my username and password, and that brings up a blank page that does not redirect to anything, so I'm stuck.
Just out of curiousity, I was looking through Advanced Settings, and found security.csp.enableNavigateTo. It has been set to false, but when I set it to true, I am able to successfully login (I still go to the blank page, but after a brief pause, I'm redirected to a logged-in page).
I'd like to know something about the security implications of enabling this property. Is it a bad idea? (Not knowing, I've set it back to false and will continue to use Edge for now).
Isisombululo esikhethiwe
From Bug 1793560 regarding security.csp.enableNavigateTo:
There are concerns about leaking redirect & cross-origin information and the editors suggest removing it from the specification
It has never shipped in Firefox (or any browser) after being implemented years ago, and was removed from spec in September 2022:
Does it still happen in a new profile? An easy way to test a new profile is to install Developer Edition and see if it happens there or refresh your existing profile.
Funda le mpendulo ngokuhambisana nalesi sihloko 👍 0All Replies (3)
Isisombululo Esikhethiwe
From Bug 1793560 regarding security.csp.enableNavigateTo:
There are concerns about leaking redirect & cross-origin information and the editors suggest removing it from the specification
It has never shipped in Firefox (or any browser) after being implemented years ago, and was removed from spec in September 2022:
Does it still happen in a new profile? An easy way to test a new profile is to install Developer Edition and see if it happens there or refresh your existing profile.
Thanks for the reply. I've just discovered something which I should have checked before posting here. Although logging in sends me to the blank page, if I manually use the back button to go back to the login page, I am given the logged-in page (not prompted to login again). So I guess logging-in is successfully setting a cookie, even though redirection isn't working (?). Anyway, this is a good enough solution for a site I don't often use, so I consider this issue resolved.
Is there anything relevant in the Web Console?
Start Firefox in Troubleshoot Mode to check if one of the extensions ("3-bar" menu button or Tools -> Add-ons -> Extensions) or if hardware acceleration or if userChrome.css/userContent.css is causing the problem.
- switch to the Default System theme: "3-bar" menu button or Tools -> Add-ons -> Themes
- do NOT click the "Refresh Firefox" button on the Troubleshoot Mode start window