CSP: Return 'inline' or 'eval' when `'unsafe-inline'` or `'unsafe-eval'` are violated.

NEW
Unassigned

Status

()

3 years ago
3 years ago

People

(Reporter: mkwst, Unassigned)

Tracking

(Blocks: 1 bug)

Trunk
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [domsecurity-backlog])

(Reporter)

Description

3 years ago
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.73 Safari/537.36

Steps to reproduce:

I visited a page whose Content Security Policy did not include `unsafe-inline`, but did include inline script.


Actual results:

The violation report's `blocked-uri` field was an empty string.


Expected results:

The (very new) https://w3c.github.io/webappsec-csp/#violation-resource defines a violation's resource as either a URL, or the string "inline" or "eval". The latter two are returned instead of an empty string when a violation occurs because of a mismatch with `unsafe-inline` or `unsafe-eval`. Ideally, the `blocked-uri` in the report would have contained one of those strings.
(Reporter)

Updated

3 years ago
Summary: CS: Return 'inline' or 'eval' when `'unsafe-inline'` or `'unsafe-eval'` are violated. → CSP: Return 'inline' or 'eval' when `'unsafe-inline'` or `'unsafe-eval'` are violated.
(Reporter)

Comment 1

3 years ago
Chrome has implemented this behavior in https://codereview.chromium.org/1486993002. Ms2ger assures me that your diff tools are better, but hopefully you can parse something useful out of that patch. :)
Status: UNCONFIRMED → NEW
Component: Untriaged → DOM: Security
Ever confirmed: true
Product: Firefox → Core
Blocks: 1231788
Whiteboard: [domsecurity-backlog]
You need to log in before you can comment on or make changes to this bug.