Closed Bug 1031417 Opened 12 years ago Closed 12 years ago

CSP: Missing 'violated directive' in console error message if no matching directive and no default directive in policy

Categories

(Core :: DOM: Security, defect)

defect
Not set
normal

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: ckerschb, Assigned: ckerschb)

References

Details

Attachments

(1 file)

Debugging 1031259 revealed that the violated directive might empty: Error: Content Security Policy: The page's settings blocked the loading of a resource at http://a.disquscdn.com/next/styles/lounge.0ba88a7f9c9b078d4ac100dcb6be5435.css (""). This can occur in case there is no matching directive (e.g. no script-src when loading a script) and also no default-src is defined.
The attached patch provides a default message for the console in case no default-src and also no matching directive is defined, see: Content Security Policy: The page's settings blocked the loading of a resource at http://a.disquscdn.com/next/styles/lounge.dc5b2f87539382b404b9cb2f6d35d82c.css ("No default-src and no style-src defined"). There was mismapping in CSP_DirectiveToContentType, which also can go into this patch (websocket -> connect-src). Do we need to add a testcase? Also, we could define the message in csp.properties, not sure if it's necessary though.
Attachment #8447370 - Flags: review?(sstamm)
Assignee: nobody → mozilla
If no default-src and no matching directive, the load should be allowed. See bug 764937 and bug 1031259 comment 8. So we probably don't need the error message, just to allow the load. Wouldn't hurt to clean up the mappings too.
Have been discussing the problem with Sid on IRC. It seems that the comment in bug https://bugzilla.mozilla.org/show_bug.cgi?id=764937#c0 provides the solution for the problem. If no matching directive can be found and also no default-src is defined, then CSP should always allow the load. Going to provide a patch for 1031259 that incorporates that change and marking this bug as a INVALID.
Comment on attachment 8447370 [details] [diff] [review] bug_1031417.patch Clearing the review flag since this patch has become invalid.
Attachment #8447370 - Flags: review?(sstamm)
This would be a problem, but bug 1031259 will make this bug disappear since this error condition won't exist to require a good error message. Loads where there's no default-src and no relevant directive should be allowed and no error should be posted to the web console. Mappings will be cleaned up in bug 1031530.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: