Open
Bug 1204991
Opened 9 years ago
Updated 2 years ago
CSP and CSPRO violation reports exclude unknown directives from the original-policy value.
Categories
(Core :: DOM: Security, defect, P5)
Tracking
()
NEW
People
(Reporter: bugzilla, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-backlog])
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2503.0 Safari/537.36 Steps to reproduce: Issue a CSP or CSPRO header with directives that Firefox does not support. When a violation occurs and a report is sent, the report includes an original-policy value. This value does not represent the original policy as Firefox excludes directives that were unknown. Actual CSP: Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval' https://scotthelme.co.uk; upgrade-insecure-requests; block-all-mixed-content; report-uri https://test.report-uri.io/report/ScottHelme" Violation report: {"csp-report":{"blocked-uri":"ftp://example.com/profile.png","document-uri":"https://scotthelme.co.uk/csp-test/","original-policy":"default-src https: data: 'unsafe-inline' 'unsafe-eval' https://scotthelme.co.uk; report-uri https://test.report-uri.io/report/ScottHelme","referrer":"","violated-directive":"default-src https: data: 'unsafe-inline' 'unsafe-eval' https://scotthelme.co.uk"}} The original-policy value in the report does not match the CSP header that was issued and could be misleading. Actual results: The original-policy value does not match the original policy that was issued. Expected results: The original-policy value should match the original policy that was issued.
|
Reporter | |
Comment 1•9 years ago
|
||
After further reading, the specification states: original-policy The original policy, as received by the user agent. http://www.w3.org/TR/CSP/#violation-report-original-policy
|
||
Updated•9 years ago
|
Component: Untriaged → DOM: Security
Product: Firefox → Core
|
|
||
Updated•9 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
||
Comment 3•8 years ago
|
||
Kamil, Matt, I suppose this one got fixed within Bug 1204989, can someone please verify?
Flags: needinfo?(mwobensmith)
Flags: needinfo?(kjozwiak)
Whiteboard: [domsecurity-backlog]
|
||
Comment 4•8 years ago
|
||
This is still an issue in Fx45.0.1. The unsupported directives do not appear in the report's original-policy value.
Flags: needinfo?(mwobensmith)
Flags: needinfo?(kjozwiak)
|
|
||
Comment 5•8 years ago
|
||
Thanks Matt, marking this one blocking the master CSP bug so it show up for the next triage.
|
|
||
Comment 6•8 years ago
|
||
Also, seems to not be an issue on Nightly Fx48. I tried with e10s both on and off, and it functions correctly there.
|
||
Updated•6 years ago
|
Priority: -- → P5
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•