1195302 - Using the inspector triggers CSP violation reports

Status: RESOLVED WORKSFORME

(DevTools :: Inspector, defect)

Description

[Nicolas Hoffmann]

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Build ID: 20150812163655

Steps to reproduce:

If you set up CSP on a website without style-src 'unsafe-inline', the Firefox inspector send a LOT of CSP notifications, kind of :

{
    "csp-report": {
        ...
        "script-sample": "top:62px;left:720px;",
        ...
    }
}

I’ve set up a testpage here, all CSP notifications on it are sent to report-uri /csp-parser.php and put into a database.

Here are the steps to understand the issue:

1) Open http://csp.nicolas-hoffmann.net/ 
2) The page is going to generate a unique id, ex http://csp.nicolas-hoffmann.net/?id=foo
3) Wait some seconds. The page doesn't find any notification in the database.
4) Now inspect the page with Firefox inspector, please highlight some elements.
5) Close the inspector
6) Refresh the page with the id you have : http://csp.nicolas-hoffmann.net/?id=foo
7) It is going to find a lot of CSP errors.


Actual results:

A lot of CSP notifications are sent to report-uri.


Expected results:

I suppose that it shouldn't send CSP notifications (they are not shown in the console). I've tested the same steps on Chrome, Opera, Edge, it didn't send any CSP notification.

If you set up email notifications instead of database, if somebody opens the firefox inspector on a page, you can receive 100 emails by minute, especially annoying when you use it to remove inline-styles :-\

Comment 1

[Nicolas Hoffmann]

If you need another simple testcase, feel free to ask.

Comment 2

[Julien Wajsberg [:julienw]]

I reproduce on Nightly.

Comment 3

[Julien Wajsberg [:julienw]]

I'm not sure where to triage this, for now I've put it inside Devtools: Inspector, but it could be an issue in CSP too.

Comment 4

[J. Ryan Stinnett [:jryans] (Use needinfo, replies may be slow)]

This is an issue with the way the inspector's highlighter injects styles, which the CSP code currently views as unsafe and blocks / reports it.  In bug 1185351, we're discussing how to change the CSP code to account for this case, so resolving that bug should fix this one too.

Comment 5

[Sylvestre Ledru [:Sylvestre]]

I am not sure this deserves an uplift to beta but we could take a patch during the aurora cycle if it makes sens.

Comment 6

[J. Ryan Stinnett [:jryans] (Use needinfo, replies may be slow)]

Nicolas / Julien, is this bug fixed for you if you retest with the latest Nightly?

Bug 1185351 just landed there, which should resolve this too.

Comment 7

[Julien Wajsberg [:julienw]]

Looks good to me !

Comment 8

[Nicolas Hoffmann]

Looks good to me too! :) (and confirmed on other websites that are using CSP)

Comment 9

[Nicolas Hoffmann]

Hi,

I don't know if it is the same problem (still on Firefox 41) : if you perform the same how-to but instead of inspecting with the Inspector, you use Firebug, another notification is sent (while it should not).

{
    "csp-report": {
        "blocked-uri": "self",
        "document-uri": "http://csp.nicolas-hoffmann.net/?id=yaawmepkthidkcnrjlui",
        "line-number": 1,
        "original-policy": "default-src http://csp.nicolas-hoffmann.net; script-src http://csp.nicolas-hoffmann.net http://*.google-analytics.com; style-src http://csp.nicolas-hoffmann.net data:; img-src http://csp.nicolas-hoffmann.net http://*.google-analytics.com data:; frame-src http://csp.nicolas-hoffmann.net; report-uri http://csp.nicolas-hoffmann.net/csp-parser.php",
        "referrer": "",
        "script-sample": "/* See license.txt for terms of usage */...",
        "source-file": "http://csp.nicolas-hoffmann.net/?id=yaawmepkthidkcnrjlui",
        "violated-directive": "style-src http://csp.nicolas-hoffmann.net data:"
    }
}

For reference : http://csp.nicolas-hoffmann.net/?id=yaawmepkthidkcnrjlui

Comment 10

[Sylvestre Ledru [:Sylvestre]]

42 has been fixed in bug 1185351 too.

Comment 11

[Nicolas Hoffmann]

Well, it seems to be fixed now. :)