Closed Bug 1070732 Opened 7 years ago Closed 7 years ago

CSP: log warning if csp-report is not sent using http or https

Categories

(Core :: DOM: Security, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla35

People

(Reporter: ckerschb, Assigned: ckerschb)

References

Details

Attachments

(1 file)

The JS implementation of CSP used to log a warning to the console if a report scheme was not http, or https:
http://mxr.mozilla.org/mozilla-central/source/dom/locales/en-US/chrome/security/csp.properties#35

We should incorporate that change in the new CSP implementation.
Blocks: 1000945
Assignee: nobody → mozilla
Status: NEW → ASSIGNED
Comment on attachment 8492768 [details] [diff] [review]
bug_1070732_log_warning_if_report_not_http.patch

Review of attachment 8492768 [details] [diff] [review]:
-----------------------------------------------------------------

r=me with one minor change.

::: content/base/src/nsCSPContext.cpp
@@ +700,5 @@
> +    // log a warning to console if scheme is not http or https
> +    nsAutoCString reportScheme;
> +    rv = reportURI->GetScheme(reportScheme);
> +    NS_ENSURE_SUCCESS(rv, rv);
> +    if (!reportScheme.EqualsASCII("http") || !reportScheme.EqualsASCII("https")) {

Please use nsIURI.SchemeIs() for the scheme checks (shortcut!)
http://mxr.mozilla.org/mozilla-central/source/netwerk/base/public/nsIURI.idl#165
Attachment #8492768 - Flags: review?(sstamm) → review+
https://hg.mozilla.org/mozilla-central/rev/c14d1ef31a7f
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.