847069 - CSP WARN: can't use report URI from non-matching eTLD+1: cspbuilder.info

Status: RESOLVED DUPLICATE of bug 843311

(Core :: Security, defect)

Description

[Pawel Krawczyk]

User Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.97 Safari/537.22

Steps to reproduce:

Go to http://webcookies.info/ which sets the following CSP:

X-Content-Security-Policy-Report-Only:Content-Security-Policy-Report-Only: default-src 'none'; script-src 'none'; style-src 'none'; img-src 'none'; connect-src 'none'; font-src 'none'; object-src 'none'; media-src 'none'; frame-src 'none'; sandbox; report-uri http://cspbuilder.info/report/5657266136855547870/


Actual results:

Firefox displayed the following warning in console:

CSP WARN:  can't use report URI from non-matching eTLD+1: cspbuilder.info



Expected results:

Firefox should send report to indicated page. CSP proposed standard (http://www.w3.org/TR/CSP/) does not require that the reports as only sent to the same TLD and it doesn't really add much security, as reports do not contain any sensitive information. On the other hand, blocking reports sent to 3rd party makes any CSP-related service (policy refinement or log processing) impossible.

Comment 1

[Daniel Veditz [:dveditz]]

The X- version of the header predates the standard -- please stop using it (it will be removed in a future version of Firefox). The report destination restrictions also predate the standard and came from a time when reports did, in fact, have sensitive information.

The standard removed information from the report as well as specified that reports should not have any destination restrictions, and more recent versions of firefox implement that standard if you are using the standard Content-Security-Policy header.