CSP and CSPRO violation reports exclude unknown directives from the original-policy value.

NEW
Unassigned

Status

()

Core
DOM: Security
2 years ago
a year ago

People

(Reporter: Scott Helme, Unassigned)

Tracking

(Blocks: 1 bug)

40 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [domsecurity-backlog])

(Reporter)

Description

2 years ago
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2503.0 Safari/537.36

Steps to reproduce:

Issue a CSP or CSPRO header with directives that Firefox does not support. 
When a violation occurs and a report is sent, the report includes an original-policy value. 

This value does not represent the original policy as Firefox excludes directives that were unknown. 

Actual CSP: 

Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval' https://scotthelme.co.uk; upgrade-insecure-requests; block-all-mixed-content; report-uri https://test.report-uri.io/report/ScottHelme"

Violation report:

{"csp-report":{"blocked-uri":"ftp://example.com/profile.png","document-uri":"https://scotthelme.co.uk/csp-test/","original-policy":"default-src https: data: 'unsafe-inline' 'unsafe-eval' https://scotthelme.co.uk; report-uri https://test.report-uri.io/report/ScottHelme","referrer":"","violated-directive":"default-src https: data: 'unsafe-inline' 'unsafe-eval' https://scotthelme.co.uk"}}

The original-policy value in the report does not match the CSP header that was issued and could be misleading.


Actual results:

The original-policy value does not match the original policy that was issued.


Expected results:

The original-policy value should match the original policy that was issued.
(Reporter)

Comment 1

2 years ago
After further reading, the specification states:

original-policy
The original policy, as received by the user agent.

http://www.w3.org/TR/CSP/#violation-report-original-policy

Updated

2 years ago
Component: Untriaged → DOM: Security
Product: Firefox → Core

Updated

2 years ago
Status: UNCONFIRMED → NEW
Ever confirmed: true

Updated

2 years ago
Duplicate of this bug: 1204989
Kamil, Matt, I suppose this one got fixed within Bug 1204989, can someone please verify?
Flags: needinfo?(mwobensmith)
Flags: needinfo?(kjozwiak)
Whiteboard: [domsecurity-backlog]
This is still an issue in Fx45.0.1. The unsupported directives do not appear in the report's original-policy value.
Flags: needinfo?(mwobensmith)
Flags: needinfo?(kjozwiak)
Blocks: 1231788
Thanks Matt, marking this one blocking the master CSP bug so it show up for the next triage.
Also, seems to not be an issue on Nightly Fx48. I tried with e10s both on and off, and it functions correctly there.
You need to log in before you can comment on or make changes to this bug.