character encoding of CSP violation report should be explicitly documented.

RESOLVED FIXED

Status

()

Core
Security
--
trivial
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: Masahiro YAMADA, Unassigned)

Tracking

(Blocks: 1 bug)

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

3 years ago
Firefox seems to POST CSP violation report as UTF-8 when script-sample contains NON-ASCII character.
But I cannot find ANY document about character encoding of violation report in MDN and CSP Specification.

When violation report parser uses "eval" on OS -efault encoding, it may allow to execute attacker-provided JavaScript on report parser.

I think this is specification and documentation bug, not implementation bug.
But it may be better to escape NON-ASCII character using \uxxxx.
This is sorta defined in the spec.  The spec says:

  To send violation reports, the user agent MUST use an algorithm equivalent to the
  following:
...
  2. Let report body be the JSON stringification of report object.

where "JSON stringification" links to https://w3c.github.io/webappsec/specs/content-security-policy/#json-stringification which says it's defined in RFC 4627.

RFC 4627 says, in section 3:

   JSON text SHALL be encoded in Unicode.  The default encoding is
   UTF-8.

I agree it would be nice to make it clearer in the spec what the encoding is.  Posted http://lists.w3.org/Archives/Public/public-webappsec/2014Dec/0010.html

As for the documentation, I updated <https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Using_CSP_violation_reports> to mention the encoding.  Are there other docs you were looking at?
(Reporter)

Comment 2

3 years ago
(In reply to Boris Zbarsky [:bz] from comment #1)
> This is sorta defined in the spec.  The spec says:
> 
>   To send violation reports, the user agent MUST use an algorithm equivalent
> to the
>   following:
> ...
>   2. Let report body be the JSON stringification of report object.
> 
> where "JSON stringification" links to
> https://w3c.github.io/webappsec/specs/content-security-policy/#json-
> stringification which says it's defined in RFC 4627.
> 
> RFC 4627 says, in section 3:
> 
>    JSON text SHALL be encoded in Unicode.  The default encoding is
>    UTF-8.
> 
> I agree it would be nice to make it clearer in the spec what the encoding
> is.  Posted
> http://lists.w3.org/Archives/Public/public-webappsec/2014Dec/0010.html
> 
> As for the documentation, I updated
> <https://developer.mozilla.org/en-US/docs/Web/Security/CSP/
> Using_CSP_violation_reports> to mention the encoding.  Are there other docs
> you were looking at?

It seems to be fine fine. I think this bug can be marked as FIXED.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.