Closed
Bug 1182087
Opened 9 years ago
Closed 9 years ago
Test CSP violation report scenarios with fetch interception
Categories
(Core :: DOM: Service Workers, defect)
Core
DOM: Service Workers
Tracking
()
RESOLVED
INVALID
FxOS-S3 (24Jul)
Tracking | Status | |
---|---|---|
firefox42 | --- | affected |
People
(Reporter: noemi, Assigned: amac)
References
Details
No description provided.
Reporter | ||
Updated•9 years ago
|
Target Milestone: --- → FxOS-S3 (24Jul)
Assignee | ||
Comment 1•9 years ago
|
||
I've been writing some test pages for this, and... I can't see how this might be exploitable. The CSP report is intercepted (there's already a test for that), but the response is never exposed to content as far as I can see on the code the result of the report is not exposed anywhere (/dom/security/nsCSPContext.cpp just seem to read the response and then throw it away happily). So I can't write a mochitest or a platform test for this because... from the content there's nothing to be seen. The only thing that might be a problem here is that CSP reports don't follow redirects, but the service worker could do something like e.respondWith(fetch(e.request)) and... I think that if a redirect is returned that *would* follow the redirect (correctly too since it's a new fetch and not the original one) and wouldn't give a warning. So... not much to do here I believe. WDYT, Ehsan?
Flags: needinfo?(ehsan)
Comment 2•9 years ago
|
||
You're right!
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Flags: needinfo?(ehsan)
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•