Closed
Bug 1031417
Opened 12 years ago
Closed 12 years ago
CSP: Missing 'violated directive' in console error message if no matching directive and no default directive in policy
Categories
(Core :: DOM: Security, defect)
Core
DOM: Security
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: ckerschb, Assigned: ckerschb)
References
Details
Attachments
(1 file)
|
4.67 KB,
patch
|
Details | Diff | Splinter Review |
Debugging 1031259 revealed that the violated directive might empty:
Error: Content Security Policy: The page's settings blocked the loading of a resource at http://a.disquscdn.com/next/styles/lounge.0ba88a7f9c9b078d4ac100dcb6be5435.css ("").
This can occur in case there is no matching directive (e.g. no script-src when loading a script) and also no default-src is defined.
| Assignee | ||
Comment 1•12 years ago
|
||
The attached patch provides a default message for the console in case no default-src and also no matching directive is defined, see:
Content Security Policy: The page's settings blocked the loading of a resource at http://a.disquscdn.com/next/styles/lounge.dc5b2f87539382b404b9cb2f6d35d82c.css ("No default-src and no style-src defined").
There was mismapping in CSP_DirectiveToContentType, which also can go into this patch (websocket -> connect-src).
Do we need to add a testcase?
Also, we could define the message in csp.properties, not sure if it's necessary though.
Attachment #8447370 -
Flags: review?(sstamm)
| Assignee | ||
Updated•12 years ago
|
Assignee: nobody → mozilla
Comment 2•12 years ago
|
||
If no default-src and no matching directive, the load should be allowed. See bug 764937 and bug 1031259 comment 8.
So we probably don't need the error message, just to allow the load. Wouldn't hurt to clean up the mappings too.
| Assignee | ||
Comment 3•12 years ago
|
||
Have been discussing the problem with Sid on IRC. It seems that the comment in bug https://bugzilla.mozilla.org/show_bug.cgi?id=764937#c0 provides the solution for the problem.
If no matching directive can be found and also no default-src is defined, then CSP should always allow the load. Going to provide a patch for 1031259 that incorporates that change and marking this bug as a INVALID.
| Assignee | ||
Comment 4•12 years ago
|
||
Comment on attachment 8447370 [details] [diff] [review]
bug_1031417.patch
Clearing the review flag since this patch has become invalid.
Attachment #8447370 -
Flags: review?(sstamm)
Comment 5•12 years ago
|
||
This would be a problem, but bug 1031259 will make this bug disappear since this error condition won't exist to require a good error message. Loads where there's no default-src and no relevant directive should be allowed and no error should be posted to the web console.
Mappings will be cleaned up in bug 1031530.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•