Content Security Policy issues misleading debug output in the console

RESOLVED DUPLICATE of bug 1026520

Status

()

Core
DOM: Security
RESOLVED DUPLICATE of bug 1026520
3 years ago
2 years ago

People

(Reporter: Alex Muller, Unassigned)

Tracking

36 Branch
x86
Mac OS X
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

3 years ago
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:36.0) Gecko/20100101 Firefox/36.0
Build ID: 20150129200438

Steps to reproduce:

Set up the following:

A server that responds with this header:

```
Content-Security-Policy: script-src 'sha256-+6WnXIl4mbFTCARd8N3COQmT3bJJmo32N8q8ZSQAIcU='
```

For a resource located at `http://localhost/hi`:

```
<!doctype html>
<html>
<body>

<script>document.body.className = ((document.body.className) ? document.body.className + ' js-enabled' : 'js-enabled');</script>

<h1>CSP demo</h1>

</body>
</html>
```


Actual results:

The page executed the JavaScript (appended a classname to the body) - this is correct behaviour, the script-src hash matches.

The console logged this message:

```
Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src 'sha256-+6WnXIl4mbFTCARd8N3COQmT3bJJmo32N8q8ZSQAIcU='").          hi:5:0
```


Expected results:

The console should not have logged that it blocked the resource. Firefox did not block the resource, because the JavaScript executed.
Component: Untriaged → DOM: Security
Product: Firefox → Core

Comment 1

2 years ago
Firefox 40

<script>console.log("hello");</script>

script-src 'self' 'sha256-N4H5TqgSuzNDfekEngS8OvQaDnOXFksFc3nAjDsKxIk='

Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src https://p2pforum.localhost 'sha256-N4H5TqgSuzNDfekEngS8OvQaDnOXFksFc3nAjDsKxIk='").

Comment 2

2 years ago
Also, from the spec:

"Note: If an element has an invalid hash, it would be helpful if the user agent reported the failure to the author by adding a warning message containing the actual hash value."

This would be really useful to help understand why firefox is getting it wrong.

Comment 3

2 years ago
The incorrect report is also posted to the CSP's report-uri.

Comment 4

2 years ago
The same issue exists for styles sheets with hashes listed in the style-src.

Updated

2 years ago
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1026520
You need to log in before you can comment on or make changes to this bug.