Provide more context for CSP violations

NEW
Unassigned

Status

()

Core
DOM: Security
P4
enhancement
3 years ago
7 months ago

People

(Reporter: francois, Unassigned)

Tracking

(Blocks: 2 bugs)

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [domsecurity-backlog])

A number of our CSP violations omit useful details like source files and line numbers:

  this->AsyncReportViolation(aURI,
                             nullptr,       /* originalURI in case of redirect */
                             violatedDirective,
                             i,             /* policy index        */
                             EmptyString(), /* no observer subject */
                             EmptyString(), /* no source file      */
                             EmptyString(), /* no script sample    */
                             0);            /* no line number      */

Source: https://mxr.mozilla.org/mozilla-central/source/dom/security/nsCSPContext.cpp#1110

We should fill those in as much as possible.
Severity: normal → enhancement
Priority: -- → P4
Assignee: nobody → francois
Component: Security → DOM: Security
Local logging -- yay! be careful if we are going to include this information in CSP reports because we've had some Same-Origin violation bugs for giving too much to a potentially hostile reporting site.
Whiteboard: [domsecurity-backlog]
Assignee: francois → nobody
Blocks: 1242016
You need to log in before you can comment on or make changes to this bug.