Closed Bug 1128195 Opened 11 years ago Closed 10 years ago

Content Security Policy issues misleading debug output in the console

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Version:
36 Branch
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1026520

People

(Reporter: alex+mozillabugzilla, Unassigned)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:36.0) Gecko/20100101 Firefox/36.0 Build ID: 20150129200438 Steps to reproduce: Set up the following: A server that responds with this header: ``` Content-Security-Policy: script-src 'sha256-+6WnXIl4mbFTCARd8N3COQmT3bJJmo32N8q8ZSQAIcU=' ``` For a resource located at `http://localhost/hi`: ``` <!doctype html> <html> <body> <script>document.body.className = ((document.body.className) ? document.body.className + ' js-enabled' : 'js-enabled');</script> <h1>CSP demo</h1> </body> </html> ``` Actual results: The page executed the JavaScript (appended a classname to the body) - this is correct behaviour, the script-src hash matches. The console logged this message: ``` Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src 'sha256-+6WnXIl4mbFTCARd8N3COQmT3bJJmo32N8q8ZSQAIcU='"). hi:5:0 ``` Expected results: The console should not have logged that it blocked the resource. Firefox did not block the resource, because the JavaScript executed.
Component: Untriaged → DOM: Security
Product: Firefox → Core
Firefox 40 <script>console.log("hello");</script> script-src 'self' 'sha256-N4H5TqgSuzNDfekEngS8OvQaDnOXFksFc3nAjDsKxIk=' Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src https://p2pforum.localhost 'sha256-N4H5TqgSuzNDfekEngS8OvQaDnOXFksFc3nAjDsKxIk='").
Also, from the spec: "Note: If an element has an invalid hash, it would be helpful if the user agent reported the failure to the author by adding a warning message containing the actual hash value." This would be really useful to help understand why firefox is getting it wrong.
The incorrect report is also posted to the CSP's report-uri.
The same issue exists for styles sheets with hashes listed in the style-src.
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.