Closed Bug 1034157 Opened 11 years ago Closed 11 years ago

[CSP] new csp implementation doesn't always send violation reports

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla33

People

(Reporter: geekboy, Assigned: geekboy)

References

Details

Attachments

(1 file, 1 obsolete file)

fix-violation-reporting
9.02 KB, patch
ckerschb
: review+
Details | Diff | Splinter Review
I noticed while updating content/base/test/unit/test_cspreports.js to use the new backend that the violation reporting doesn't always work (test fails due to nsIContentPolicy disallowing the load). Turns out we were not passing the protected document URI (mSelfURI) when checking if we can send the reports, so it was always saying no. For example: http://mxr.mozilla.org/mozilla-central/source/content/base/src/nsCSPContext.cpp#186 186 this->AsyncReportViolation(aContentLocation, 187 aRequestOrigin, 188 violatedDirective, 189 p, /* policy index */ 190 EmptyString(), /* no observer subject */ 191 EmptyString(), /* no source file */ 192 EmptyString(), /* no script sample */ 193 0); /* no line number */ aRequestOrigin might not be right, since CSP should always use the "self" URI (mSelfURI) since that's the protected document corresponding to "this". Same here: http://mxr.mozilla.org/mozilla-central/source/content/base/src/nsCSPContext.cpp#444 444 this->AsyncReportViolation(selfISupports, nullptr, violatedDirective, p, \ 445 NS_LITERAL_STRING(observerTopic), \ 446 aSourceFile, aScriptSample, aLineNum); \ The second arg should not be nullptr, should be the self URI like it is for frame ancestors: http://mxr.mozilla.org/mozilla-central/source/content/base/src/nsCSPContext.cpp#1072
Attached patch fix-violation-reporting (obsolete) — Splinter Review
Attachment #8450361 - Flags: review?(mozilla)
Comment on attachment 8450361 [details] [diff] [review] fix-violation-reporting Review of attachment 8450361 [details] [diff] [review]: ----------------------------------------------------------------- I think you got it all - good catch, also updating the 'line-number' and the CSPCONTEXTLOG goes nicely with this patch! Let's roll this one out!
Attachment #8450361 - Flags: review?(mozilla) → review+
d'oh, forgot to qrefresh. Here's the right patch.
Attachment #8450361 - Attachment is obsolete: true
Attachment #8450371 - Flags: review?(mozilla)
Comment on attachment 8450371 [details] [diff] [review] fix-violation-reporting you forgot to carry over my r+ from earlier.
Attachment #8450371 - Flags: review?(mozilla) → review+
https://hg.mozilla.org/mozilla-central/rev/a6a8770eb49d
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Depends on: 994322
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: