Closed
Bug 1230528
Opened 9 years ago
Closed 2 years ago
CSP: Return 'inline' or 'eval' when `'unsafe-inline'` or `'unsafe-eval'` are violated.
Categories
(Core :: DOM: Security, defect)
Core
DOM: Security
Tracking
()
RESOLVED
FIXED
People
(Reporter: mkwst, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-backlog])
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.73 Safari/537.36 Steps to reproduce: I visited a page whose Content Security Policy did not include `unsafe-inline`, but did include inline script. Actual results: The violation report's `blocked-uri` field was an empty string. Expected results: The (very new) https://w3c.github.io/webappsec-csp/#violation-resource defines a violation's resource as either a URL, or the string "inline" or "eval". The latter two are returned instead of an empty string when a violation occurs because of a mismatch with `unsafe-inline` or `unsafe-eval`. Ideally, the `blocked-uri` in the report would have contained one of those strings.
Summary: CS: Return 'inline' or 'eval' when `'unsafe-inline'` or `'unsafe-eval'` are violated. → CSP: Return 'inline' or 'eval' when `'unsafe-inline'` or `'unsafe-eval'` are violated.
Chrome has implemented this behavior in https://codereview.chromium.org/1486993002. Ms2ger assures me that your diff tools are better, but hopefully you can parse something useful out of that patch. :)
|
||
Updated•9 years ago
|
Status: UNCONFIRMED → NEW
Component: Untriaged → DOM: Security
Ever confirmed: true
Product: Firefox → Core
|
||
Updated•2 years ago
|
Severity: normal → S3
|
||
Comment 2•2 years ago
|
||
I believe this has been fixed in the meantime. https://searchfox.org/mozilla-central/rev/3c194fa1d6f339036d2ec9516bd310c6ad612859/dom/security/nsCSPContext.cpp#103
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → WONTFIX
|
|
||
Updated•2 years ago
|
Resolution: WONTFIX → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•