Closed Bug 1011098 Opened 10 years ago Closed 9 years ago

CSP performs two policy checks for report-only policies (LogViolationDetails double-checks)

Categories

(Core :: DOM: Security, defect, P2)

Product:
Core
Component:
DOM: Security
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1199977

People

(Reporter: geekboy, Unassigned)

References

(Depends on 1 open bug)

Details

(Whiteboard: [domsecurity-backlog])

Right now when violations are logged via LogViolationDetails, CSP has to run a second check (mPolicies[p]->allows) in case it was a report-only policy that allowed the thing to happen/load but still requires a report. This is because LogViolationDetails is called once for the set of effective policies, and when it's called it doesn't know which policies were violated and has to check again. It's crafted this way because: 1. we don't want the perf hit of assembling violation context information unless necessary since it can be slow 2. we support mulitple policies (abstracted away as one via nsIContentSecurityPolicy) We could rewrite violation reporting to use callbacks that do the context assembling, or permits could return an array of policy "violation indicator booleans" that say which policies were violated (and then we could pass that into LogViolationDetails). Both of these seem kind of cumbersome for the callers. We should probably wait until the old backend is completely decommissioned (bug 994782) before we do this so there is not more than one implementation to deal with.
Whiteboard: [domsecurity-backlog]
Inlining the reporting mechanism will eliminate that problem. We are working on that over in Bug 1199977.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.