Open
Bug 1251802
Opened 9 years ago
Updated 2 years ago
EventSource object is created when it violates Content Security Policy
Categories
(Core :: DOM: Security, defect, P3)
Tracking
()
NEW
People
(Reporter: ilya.nesterov, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-backlog2])
Attachments
(1 file)
|
511 bytes,
text/html
|
Details |
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.109 Safari/537.36 Steps to reproduce: Section 7.3 of CSP2 specification https://www.w3.org/TR/CSP2/#directive-connect-src says: "Whenever the user agent fetches a URL in the course of one of the following activities, if the URL does not match the allowed connection targets for the protected resource, the user agent MUST act as if there was a fatal network error and no resource was obtained, and report a violation" but it seems EventSource object is still created in the case when it violates CSP, while it shouldn't. Firefox correctly handle same scenario in case of violation CSP for XHR and sendBeacon(). Request still is not send though. Chromium on the other side correctly handle this case and do not create EventSource object. Please use attached file for a quick test.
|
Reporter | |
Comment 1•9 years ago
|
||
Also checked on 45 and 47 branch. Still the same behavior.
|
||
Comment 2•8 years ago
|
||
This needs to be investigated.
|
|
||
Updated•8 years ago
|
Whiteboard: [domsecurity-backlog]
|
|
||
Updated•8 years ago
|
Priority: -- → P2
|
|
||
Updated•8 years ago
|
Priority: P2 → P3
Whiteboard: [domsecurity-backlog] → [domsecurity-backlog2]
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•