Closed
Bug 847069
Opened 11 years ago
Closed 10 years ago
CSP WARN: can't use report URI from non-matching eTLD+1: cspbuilder.info
Categories
(Core :: Security, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 843311
People
(Reporter: pawel.krawczyk, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.97 Safari/537.22 Steps to reproduce: Go to http://webcookies.info/ which sets the following CSP: X-Content-Security-Policy-Report-Only:Content-Security-Policy-Report-Only: default-src 'none'; script-src 'none'; style-src 'none'; img-src 'none'; connect-src 'none'; font-src 'none'; object-src 'none'; media-src 'none'; frame-src 'none'; sandbox; report-uri http://cspbuilder.info/report/5657266136855547870/ Actual results: Firefox displayed the following warning in console: CSP WARN: can't use report URI from non-matching eTLD+1: cspbuilder.info Expected results: Firefox should send report to indicated page. CSP proposed standard (http://www.w3.org/TR/CSP/) does not require that the reports as only sent to the same TLD and it doesn't really add much security, as reports do not contain any sensitive information. On the other hand, blocking reports sent to 3rd party makes any CSP-related service (policy refinement or log processing) impossible.
Updated•11 years ago
|
Component: Untriaged → Security
Product: Firefox → Core
Comment 1•10 years ago
|
||
The X- version of the header predates the standard -- please stop using it (it will be removed in a future version of Firefox). The report destination restrictions also predate the standard and came from a time when reports did, in fact, have sensitive information. The standard removed information from the report as well as specified that reports should not have any destination restrictions, and more recent versions of firefox implement that standard if you are using the standard Content-Security-Policy header.
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•