The default bug view has changed. See this FAQ.

CSP and CSPRO violation reports exclude unknown directives from the original-policy value.




DOM: Security
2 years ago
a year ago


(Reporter: Scott Helme, Unassigned)


(Blocks: 1 bug)

40 Branch

Firefox Tracking Flags

(Not tracked)


(Whiteboard: [domsecurity-backlog])



2 years ago
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2503.0 Safari/537.36

Steps to reproduce:

Issue a CSP or CSPRO header with directives that Firefox does not support. 
When a violation occurs and a report is sent, the report includes an original-policy value. 

This value does not represent the original policy as Firefox excludes directives that were unknown. 

Actual CSP: 

Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'; upgrade-insecure-requests; block-all-mixed-content; report-uri"

Violation report:

{"csp-report":{"blocked-uri":"","document-uri":"","original-policy":"default-src https: data: 'unsafe-inline' 'unsafe-eval'; report-uri","referrer":"","violated-directive":"default-src https: data: 'unsafe-inline' 'unsafe-eval'"}}

The original-policy value in the report does not match the CSP header that was issued and could be misleading.

Actual results:

The original-policy value does not match the original policy that was issued.

Expected results:

The original-policy value should match the original policy that was issued.

Comment 1

2 years ago
After further reading, the specification states:

The original policy, as received by the user agent.
Component: Untriaged → DOM: Security
Product: Firefox → Core
Ever confirmed: true


a year ago
Duplicate of this bug: 1204989
Kamil, Matt, I suppose this one got fixed within Bug 1204989, can someone please verify?
Flags: needinfo?(mwobensmith)
Flags: needinfo?(kjozwiak)
Whiteboard: [domsecurity-backlog]
This is still an issue in Fx45.0.1. The unsupported directives do not appear in the report's original-policy value.
Flags: needinfo?(mwobensmith)
Flags: needinfo?(kjozwiak)
Blocks: 1231788
Thanks Matt, marking this one blocking the master CSP bug so it show up for the next triage.
Also, seems to not be an issue on Nightly Fx48. I tried with e10s both on and off, and it functions correctly there.
You need to log in before you can comment on or make changes to this bug.