Last Comment Bug 1204989 - The violated-directive in CSP reports is malformed when both CSP and CSPRO headers are present.
: The violated-directive in CSP reports is malformed when both CSP and CSPRO he...
Status: RESOLVED WORKSFORME
[domsecurity-backlog]
:
Product: Core
Classification: Components
Component: DOM: Security (show other bugs)
: 40 Branch
: Unspecified Unspecified
-- normal (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
: Kamil Jozwiak [:kjozwiak]
: Christoph Kerschbaumer [:ckerschb]
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-15 11:11 PDT by Scott Helme
Modified: 2016-03-17 10:06 PDT (History)
5 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
firefox-bug-2.png (57.29 KB, image/png)
2015-09-15 11:11 PDT, Scott Helme
no flags Details
firefox-bug-3.png (171.95 KB, image/png)
2015-09-15 11:12 PDT, Scott Helme
no flags Details
poc.php (512 bytes, text/php)
2016-03-17 10:04 PDT, Kamil Jozwiak [:kjozwiak]
no flags Details

Description User image Scott Helme 2015-09-15 11:11:47 PDT
Created attachment 8661366 [details]
firefox-bug-2.png

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2503.0 Safari/537.36

Steps to reproduce:

Issue a CSP and CSPRO header on a site. 
Create a violation on the page that triggers a violation in both policies. 
The resulting violation of the CSPRO contains the violated-directive string for both the CSP and CSPRO headers joined together.

The CSP: 

Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval' https://scotthelme.co.uk; upgrade-insecure-requests; block-all-mixed-content; report-uri https://test.report-uri.io/report/ScottHelme"

The CSPRO:  

Content-Security-Policy-Report-Only "default-src https: data: 'unsafe-inline' 'unsafe-eval'; report-uri https://test.report-uri.io/report/ScottHelme"

The violating asset: 

<img src="ftp://example.com/profile.png">

The CSP contains "https://scotthelme.co.uk" in the default-src directive to distinguish between the policies. 

The resulting CSP violation report (determined by the presence of "https://scotthelme.co.uk" in the original policy): 

{"csp-report":{"blocked-uri":"ftp://example.com/profile.png","document-uri":"https://scotthelme.co.uk/csp-test/","original-policy":"default-src https: data: 'unsafe-inline' 'unsafe-eval' https://scotthelme.co.uk; report-uri https://test.report-uri.io/report/ScottHelme","referrer":"","violated-directive":"default-src https: data: 'unsafe-inline' 'unsafe-eval' https://scotthelme.co.uk"}}

The resulting CSPRO violation report (determined by the lack of "https://scotthelme.co.uk" in the original policy): 

{"csp-report":{"blocked-uri":"ftp://example.com/profile.png","document-uri":"https://scotthelme.co.uk/csp-test/","original-policy":"default-src https: data: 'unsafe-inline' 'unsafe-eval'; report-uri https://test.report-uri.io/report/ScottHelme","referrer":"","violated-directive":"default-src https: data: 'unsafe-inline' 'unsafe-eval' https://scotthelme.co.ukdefault-src https: data: 'unsafe-inline' 'unsafe-eval'"}}

Note in the violated-directive of the CSPRO violation that it also contains the string from the CSP violation which should not be present.


Actual results:

The violated-directive string for the CSPRO report contains the string you would expect to see and the violated-directive string from the CSP report that should not be present.


Expected results:

The violated-directive string for the CSPRO report contains just the expected string.
Comment 1 User image Scott Helme 2015-09-15 11:12:13 PDT
Created attachment 8661367 [details]
firefox-bug-3.png
Comment 2 User image Abe - QA (:Abe_LV) 2015-12-02 14:40:23 PST
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:45.0) Gecko/20100101 Firefox/45.0 
Nightly 45.0a1 Build ID:201512020030228
 AND Firefox 42.0

Are you still able to reproduce this in the latest version ?
Comment 3 User image Scott Helme 2015-12-02 14:59:38 PST
Yes, this is reproducible in the latest build, 42.0

I have setup a demo page: 

https://scotthelme.co.uk/csp-test

Which loads a violating asset: 

<img src="ftp://example.com/profile.png">

Using the following headers:

add_header Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval' ; upgrade-insecure-requests; block-all-mixed-content; report-uri https://report-uri.io/report/ScottHelme" always;
add_header Content-Security-Policy-Report-Only "default-src https: 'unsafe-inline' 'unsafe-eval' https://scotthelme.co.uk; report-uri https://report-uri.io/report/ScottHelme/reportOnly" always;

Resulting in the following CSP reports:

CSP: 
{
    "csp-report": {
        "blocked-uri": "ftp://example.com/profile.png",
        "document-uri": "https://scotthelme.co.uk/csp-test/",
        "original-policy": "default-src https: data: 'unsafe-inline' 'unsafe-eval'; upgrade-insecure-requests; report-uri https://report-uri.io/report/ScottHelme",
        "referrer": "",
        "violated-directive": "default-src https: data: 'unsafe-inline' 'unsafe-eval'"
    }
}

CSPRO:
{
    "csp-report": {
        "blocked-uri": "ftp://example.com/profile.png",
        "document-uri": "https://scotthelme.co.uk/csp-test/",
        "original-policy": "default-src https: 'unsafe-inline' 'unsafe-eval' https://scotthelme.co.uk; report-uri https://report-uri.io/report/ScottHelme/reportOnly",
        "referrer": "",
        "violated-directive": "default-src https: data: 'unsafe-inline' 'unsafe-eval'default-src https: 'unsafe-inline' 'unsafe-eval' https://scotthelme.co.uk"
    }
}


As you can see, the "violated-directive" of the CSPRO report contains the value from the CSP report first and then the expected value of the CSPRO appended after it.
Comment 4 User image Abe - QA (:Abe_LV) 2015-12-09 11:32:16 PST

*** This bug has been marked as a duplicate of bug 1204991 ***
Comment 5 User image Scott Helme 2015-12-19 02:10:44 PST
I don't believe that this bug is a duplicate of the one linked. 

This bug outlines the issue that the violated-directive of a report from a CSPRO is malformed when issued alongside a CSP. 

The issue that this is marked as a duplicate of is about the original-policy value of a report not being an accurate representation of the policy that was delivered to the browser.
Comment 6 User image Abe - QA (:Abe_LV) 2015-12-29 13:04:22 PST
User Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:46.0) Gecko/20100101 Firefox/46.0
Nightly 46.0a1 Build ID:20151229030213.

The issue is reproducible and demo page is given by the reporter.
Comment 7 User image Christoph Kerschbaumer [:ckerschb] 2016-03-10 16:08:50 PST
Matt, Kamil, can we still reproduce this?
Comment 8 User image Kamil Jozwiak [:kjozwiak] 2016-03-17 10:04:01 PDT
Created attachment 8731763 [details]
poc.php

Reproduced the original issue using the above examples with the following build:
* https://archive.mozilla.org/pub/firefox/releases/40.0/

Received the following CSP report:

{
    "csp-report": {
        "blocked-uri": "http://example.com/profile.png",
        "document-uri": "http://localhost:8000/poc.php",
        "original-policy": "default-src https: 'unsafe-inline' 'unsafe-eval' https://scotthelme.co.uk; report-uri https://report-uri.io/report/kamiljoz/reportOnly",
        "referrer": "",
        "violated-directive": "default-src https: data: 'unsafe-inline' 'unsafe-eval'default-src https: 'unsafe-inline' 'unsafe-eval' https://scotthelme.co.uk"
    }
}

Went through verification using the following builds:
* https://archive.mozilla.org/pub/firefox/nightly/2016/03/2016-03-17-03-02-35-mozilla-central/
* https://archive.mozilla.org/pub/firefox/nightly/2016/03/2016-03-17-00-40-16-mozilla-aurora/
* https://archive.mozilla.org/pub/firefox/candidates/46.0b2-candidates/build3/
* https://archive.mozilla.org/pub/firefox/releases/45.0.1/

Results:

* fx48.0a1 - PASSED
* fx47.0a2 - PASSED
* fx46.0b2 - PASSED
* fx45.0.1 - PASSED

Received the following CSP report:

{
    "csp-report": {
        "blocked-uri": "http://example.com",
        "document-uri": "http://localhost:8000/poc.php",
        "original-policy": "default-src https: 'unsafe-inline' 'unsafe-eval' https://scotthelme.co.uk; report-uri https://report-uri.io/report/kamiljoz/reportOnly",
        "referrer": "",
        "violated-directive": "default-src https: 'unsafe-inline' 'unsafe-eval' https://scotthelme.co.uk"
    }
}

Received the following CSP error via the browser console:

* Content Security Policy: The page's settings observed the loading of a resource at http://example.com/profile.png ("default-src https: 'unsafe-inline' 'unsafe-eval' https://scotthelme.co.uk"). A CSP report is being sent.

Chris, looks like this isn't an issue anymore. I managed to reproduced the problem with fx40.0 and couldn't reproduce the problem using fx48.0a1, fx47.0a2, fx46.0b2 and fx45.0.1.
Comment 9 User image Christoph Kerschbaumer [:ckerschb] 2016-03-17 10:06:15 PDT
(In reply to Kamil Jozwiak [:kjozwiak] from comment #8)
> Chris, looks like this isn't an issue anymore. I managed to reproduced the
> problem with fx40.0 and couldn't reproduce the problem using fx48.0a1,
> fx47.0a2, fx46.0b2 and fx45.0.1.

Thanks Kamil. That's great!

Note You need to log in before you can comment on or make changes to this bug.