Closed Bug 1262635 Opened 5 years ago Closed 5 years ago
CSP report blocked-uri value is incomplete
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36 Steps to reproduce: On this page: https://scotthelme.co.uk/csp-test/ There is an asset included that intentionally violates my CSP: <img src="ftp://example.com/profile.png"> The ftp: scheme is not allowed so the fetch is blocked. Firefox sends a report as expected but the blocked-uri value is not what was expected. Actual results: blocked-uri:"ftp" Expected results: blocked-uri:"ftp://example.com"
Assignee: nobody → ckerschb
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Dan, we already had a discussion within  whether ftp should be included or not. Back then we decided to only care about http and https. I don't have a strong opinion to be honest, but potentially we should include ftp: when stripping URIs for reports.  https://bugzilla.mozilla.org/show_bug.cgi?id=1208946#c13
Attachment #8741481 - Flags: review?(dveditz)
Comment on attachment 8741481 [details] [diff] [review] bug_1262635_uri_stripping_for_ftp.patch Review of attachment 8741481 [details] [diff] [review]: ----------------------------------------------------------------- r=dveditz What's the next scheme people are going to ask us to add? file:// perhaps? Would only be relevant if the document was itself a file: url, but there's no reason that couldn't have a <meta> CSP and someone may want a report if someone is trying a local injection attack. What about an add-on or app: protected by CSP, it might want to know about injected chrome:// or resource:// urls. Do we go ahead and add those now, or wait until someone asks for it? ::: dom/security/nsCSPContext.cpp @@ +724,2 @@ > // not strictly spec compliant, but what we really care about is > // http/https. If it's not http/https, then treat aURI as if This comment needs to be updated to include ftp:
Attachment #8741481 - Flags: review?(dveditz) → review+
(In reply to Daniel Veditz [:dveditz] from comment #2) > What's the next scheme people are going to ask us to add? file:// perhaps? Maybe, but most importantly still is http and https. I don't have a strong opinion but I am fine with adding ftp for now. Updated the comment; carrying over r+ from dveditz.
You need to log in before you can comment on or make changes to this bug.