Last Comment Bug 1204991 - CSP and CSPRO violation reports exclude unknown directives from the original-policy value.
: CSP and CSPRO violation reports exclude unknown directives from the original-...
Status: NEW
[domsecurity-backlog]
:
Product: Core
Classification: Components
Component: DOM: Security (show other bugs)
: 40 Branch
: Unspecified Unspecified
-- normal (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
: Christoph Kerschbaumer [:ckerschb]
Mentors:
Depends on:
Blocks: csp-w3c-3
  Show dependency treegraph
 
Reported: 2015-09-15 11:17 PDT by Scott Helme
Modified: 2016-04-08 23:57 PDT (History)
6 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description User image Scott Helme 2015-09-15 11:17:14 PDT
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2503.0 Safari/537.36

Steps to reproduce:

Issue a CSP or CSPRO header with directives that Firefox does not support. 
When a violation occurs and a report is sent, the report includes an original-policy value. 

This value does not represent the original policy as Firefox excludes directives that were unknown. 

Actual CSP: 

Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval' https://scotthelme.co.uk; upgrade-insecure-requests; block-all-mixed-content; report-uri https://test.report-uri.io/report/ScottHelme"

Violation report:

{"csp-report":{"blocked-uri":"ftp://example.com/profile.png","document-uri":"https://scotthelme.co.uk/csp-test/","original-policy":"default-src https: data: 'unsafe-inline' 'unsafe-eval' https://scotthelme.co.uk; report-uri https://test.report-uri.io/report/ScottHelme","referrer":"","violated-directive":"default-src https: data: 'unsafe-inline' 'unsafe-eval' https://scotthelme.co.uk"}}

The original-policy value in the report does not match the CSP header that was issued and could be misleading.


Actual results:

The original-policy value does not match the original policy that was issued.


Expected results:

The original-policy value should match the original policy that was issued.
Comment 1 User image Scott Helme 2015-09-17 09:21:10 PDT
After further reading, the specification states:

original-policy
The original policy, as received by the user agent.

http://www.w3.org/TR/CSP/#violation-report-original-policy
Comment 2 User image Abe - QA (:Abe_LV) 2015-12-09 11:32:16 PST
*** Bug 1204989 has been marked as a duplicate of this bug. ***
Comment 3 User image Christoph Kerschbaumer [:ckerschb] 2016-03-21 16:10:32 PDT
Kamil, Matt, I suppose this one got fixed within Bug 1204989, can someone please verify?
Comment 4 User image Matt Wobensmith [:mwobensmith][:matt:] 2016-03-28 14:38:15 PDT
This is still an issue in Fx45.0.1. The unsupported directives do not appear in the report's original-policy value.
Comment 5 User image Christoph Kerschbaumer [:ckerschb] 2016-03-28 14:47:33 PDT
Thanks Matt, marking this one blocking the master CSP bug so it show up for the next triage.
Comment 6 User image Matt Wobensmith [:mwobensmith][:matt:] 2016-03-28 16:48:25 PDT
Also, seems to not be an issue on Nightly Fx48. I tried with e10s both on and off, and it functions correctly there.

Note You need to log in before you can comment on or make changes to this bug.