1192681 - Content Security Policy report "blocked-uri" should not report fragment in some cases

Status: RESOLVED WORKSFORME

(Core :: DOM: Security, defect)

Description

[tollmanz]

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.107 Safari/537.36

Steps to reproduce:

1. Set a Content Security policy of `default https://www.example.com; report-uri https://www.example.com/csp-report` for an HTML document.
2. Have the HTML document attempt to load an image with src of "http://www.anotherdomain.com/test.jpg".


Actual results:

A report is issued with a JSON payload that includes:

"blocked-uri": "http://www.anotherdomain.com/test.jpg"


Expected results:

A report should be issued with a JSON payload that includes:

"blocked-uri": "http://www.anotherdomain.com/"

Note that the URL fragment is truncated. According to the CSP2 spec regarding stripping the "blocked-uri" for reporting: 

"If the origin of uri is not the same as the origin of the protected resource, then abort these steps, and return the ASCII serialization of uri’s origin."

Note that if the violation is due to a resource that shares the same origin URI as the primary document, the fragment can be sent.

Comment 1

[Christoph Kerschbaumer [:ckerschb}]

Kamil, Matt, I think this one got fixed within:
> Bug 1208946 - Strip URIs in CSP reports

Can you see if you can still reproduce the error?

Comment 2

[Kamil Jozwiak [:kjozwiak]]

I reproduced the original issue using the following build:
* https://archive.mozilla.org/pub/firefox/releases/39.0.3/mac/en-US/

Received the following report:

{
    "csp-report": {
        "blocked-uri": "http://i.imgur.com/dYgkLlt.jpg",
        "document-uri": "http://kjozwiak.local:22935/poc",
        "original-policy": "connect-src http://kjozwiak.local:22935; default-src 'none'; img-src http://kjozwiak.local:22935; script-src http://kjozwiak.local:22935 'nonce-a55f2ddcb82ef26a1bfc60edfb9b23bd'; style-src http://kjozwiak.local:22935 'nonce-fb930d8c15cf1583c8e2962d390fc1fb'; report-uri https://report-uri.io/report/kamiljoz/reportOnly",
        "referrer": "",
        "violated-directive": "img-src http://kjozwiak.local:22935"
    }
}

Went through verification using the following builds:
* https://archive.mozilla.org/pub/firefox/nightly/2016/03/2016-03-14-03-02-15-mozilla-central/
* https://archive.mozilla.org/pub/firefox/nightly/2016/03/2016-03-14-00-40-22-mozilla-aurora/
* https://archive.mozilla.org/pub/firefox/candidates/46.0b1-candidates/build8/
* https://archive.mozilla.org/pub/firefox/releases/45.0

* fx48.0a1 - PASSED
* fx47.0a2 - PASSED
* fx46.0b1 - PASSED
* fx45.0 - PASSED

Received the following report: (theurl is being truncated)

{
    "csp-report": {
        "blocked-uri": "http://i.imgur.com",
        "document-uri": "http://kjozwiak.local:22935/poc",
        "original-policy": "connect-src http://kjozwiak.local:22935; default-src 'none'; img-src http://kjozwiak.local:22935; script-src http://kjozwiak.local:22935 'nonce-2bf12a3594c9b738bca568bef0dba813'; style-src http://kjozwiak.local:22935 'nonce-b996c98ef7efb527a69fc6a28bcf94ec'; report-uri https://report-uri.io/report/kamiljoz/reportOnly",
        "referrer": "",
        "violated-directive": "img-src http://kjozwiak.local:22935"
    }
}

Chris, looks like this isn't an issue anymore. I reproduced the original issue using fx39.0.3 but couldn't reproduce the problem using fx48.0a1, fx47.0a2, fx46.0b1 and fx45.0.

Comment 3

[Christoph Kerschbaumer [:ckerschb}]

(In reply to Kamil Jozwiak [:kjozwiak] from comment #2)
> Chris, looks like this isn't an issue anymore. I reproduced the original
> issue using fx39.0.3 but couldn't reproduce the problem using fx48.0a1,
> fx47.0a2, fx46.0b1 and fx45.0.

Thanks Kamil, that's awesome.