Closed Bug 1106775 Opened 10 years ago Closed 10 years ago

character encoding of CSP violation report should be explicitly documented.

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Platform:
x86_64
Windows 8.1
Type:
defect
Priority:
Not set
Severity:
trivial

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: masa141421356, Unassigned)

References

(Blocks 1 open bug)

Details

Firefox seems to POST CSP violation report as UTF-8 when script-sample contains NON-ASCII character.
But I cannot find ANY document about character encoding of violation report in MDN and CSP Specification.

When violation report parser uses "eval" on OS -efault encoding, it may allow to execute attacker-provided JavaScript on report parser.

I think this is specification and documentation bug, not implementation bug.
But it may be better to escape NON-ASCII character using \uxxxx.
This is sorta defined in the spec.  The spec says:

  To send violation reports, the user agent MUST use an algorithm equivalent to the
  following:
...
  2. Let report body be the JSON stringification of report object.

where "JSON stringification" links to https://w3c.github.io/webappsec/specs/content-security-policy/#json-stringification which says it's defined in RFC 4627.

RFC 4627 says, in section 3:

   JSON text SHALL be encoded in Unicode.  The default encoding is
   UTF-8.

I agree it would be nice to make it clearer in the spec what the encoding is.  Posted http://lists.w3.org/Archives/Public/public-webappsec/2014Dec/0010.html

As for the documentation, I updated <https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Using_CSP_violation_reports> to mention the encoding.  Are there other docs you were looking at?
(In reply to Boris Zbarsky [:bz] from comment #1)
> This is sorta defined in the spec.  The spec says:
> 
>   To send violation reports, the user agent MUST use an algorithm equivalent
> to the
>   following:
> ...
>   2. Let report body be the JSON stringification of report object.
> 
> where "JSON stringification" links to
> https://w3c.github.io/webappsec/specs/content-security-policy/#json-
> stringification which says it's defined in RFC 4627.
> 
> RFC 4627 says, in section 3:
> 
>    JSON text SHALL be encoded in Unicode.  The default encoding is
>    UTF-8.
> 
> I agree it would be nice to make it clearer in the spec what the encoding
> is.  Posted
> http://lists.w3.org/Archives/Public/public-webappsec/2014Dec/0010.html
> 
> As for the documentation, I updated
> <https://developer.mozilla.org/en-US/docs/Web/Security/CSP/
> Using_CSP_violation_reports> to mention the encoding.  Are there other docs
> you were looking at?

It seems to be fine fine. I think this bug can be marked as FIXED.
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.