Closed Bug 1262635 Opened 8 years ago Closed 8 years ago

CSP report blocked-uri value is incomplete

Categories

(Core :: DOM: Security, defect)

45 Branch
defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla48
Tracking Status
firefox48 --- fixed

People

(Reporter: bugzilla, Assigned: ckerschb)

Details

(Whiteboard: [domsecurity-active])

Attachments

(1 file, 1 obsolete file)

User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36

Steps to reproduce:

On this page: https://scotthelme.co.uk/csp-test/

There is an asset included that intentionally violates my CSP:
<img src="ftp://example.com/profile.png">

The ftp: scheme is not allowed so the fetch is blocked. Firefox sends a report as expected but the blocked-uri value is not what was expected.


Actual results:

blocked-uri:"ftp"


Expected results:

blocked-uri:"ftp://example.com"
Component: Untriaged → DOM: Security
Product: Firefox → Core
Assignee: nobody → ckerschb
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [domsecurity-active]
Dan, we already had a discussion within [1] whether ftp should be included or not. Back then we decided to only care about http and https. I don't have a strong opinion to be honest, but potentially we should include ftp: when stripping URIs for reports.

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1208946#c13
Attachment #8741481 - Flags: review?(dveditz)
Comment on attachment 8741481 [details] [diff] [review]
bug_1262635_uri_stripping_for_ftp.patch

Review of attachment 8741481 [details] [diff] [review]:
-----------------------------------------------------------------

r=dveditz

What's the next scheme people are going to ask us to add? file:// perhaps? Would only be relevant if the document was itself a file: url, but there's no reason that couldn't have a <meta> CSP and someone may want a report if someone is trying a local injection attack. What about an add-on or app: protected by CSP, it might want to know about injected chrome:// or resource:// urls. Do we go ahead and add those now, or wait until someone asks for it?

::: dom/security/nsCSPContext.cpp
@@ +724,2 @@
>      // not strictly spec compliant, but what we really care about is
>      // http/https. If it's not http/https, then treat aURI as if

This comment needs to be updated to include ftp:
Attachment #8741481 - Flags: review?(dveditz) → review+
(In reply to Daniel Veditz [:dveditz] from comment #2)
> What's the next scheme people are going to ask us to add? file:// perhaps?
Maybe, but most importantly still is http and https. I don't have a strong opinion but I am fine with adding ftp for now.

Updated the comment; carrying over r+ from dveditz.
Attachment #8741481 - Attachment is obsolete: true
Attachment #8742134 - Flags: review+
https://hg.mozilla.org/mozilla-central/rev/34e67475a707
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
You need to log in before you can comment on or make changes to this bug.