Closed
Bug 1262635
Opened 8 years ago
Closed 8 years ago
CSP report blocked-uri value is incomplete
Categories
(Core :: DOM: Security, defect)
Tracking
()
RESOLVED
FIXED
mozilla48
Tracking | Status | |
---|---|---|
firefox48 | --- | fixed |
People
(Reporter: bugzilla, Assigned: ckerschb)
Details
(Whiteboard: [domsecurity-active])
Attachments
(1 file, 1 obsolete file)
2.85 KB,
patch
|
ckerschb
:
review+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36 Steps to reproduce: On this page: https://scotthelme.co.uk/csp-test/ There is an asset included that intentionally violates my CSP: <img src="ftp://example.com/profile.png"> The ftp: scheme is not allowed so the fetch is blocked. Firefox sends a report as expected but the blocked-uri value is not what was expected. Actual results: blocked-uri:"ftp" Expected results: blocked-uri:"ftp://example.com"
Updated•8 years ago
|
Component: Untriaged → DOM: Security
Product: Firefox → Core
Assignee | ||
Updated•8 years ago
|
Assignee: nobody → ckerschb
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [domsecurity-active]
Assignee | ||
Comment 1•8 years ago
|
||
Dan, we already had a discussion within [1] whether ftp should be included or not. Back then we decided to only care about http and https. I don't have a strong opinion to be honest, but potentially we should include ftp: when stripping URIs for reports. [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1208946#c13
Attachment #8741481 -
Flags: review?(dveditz)
Comment 2•8 years ago
|
||
Comment on attachment 8741481 [details] [diff] [review] bug_1262635_uri_stripping_for_ftp.patch Review of attachment 8741481 [details] [diff] [review]: ----------------------------------------------------------------- r=dveditz What's the next scheme people are going to ask us to add? file:// perhaps? Would only be relevant if the document was itself a file: url, but there's no reason that couldn't have a <meta> CSP and someone may want a report if someone is trying a local injection attack. What about an add-on or app: protected by CSP, it might want to know about injected chrome:// or resource:// urls. Do we go ahead and add those now, or wait until someone asks for it? ::: dom/security/nsCSPContext.cpp @@ +724,2 @@ > // not strictly spec compliant, but what we really care about is > // http/https. If it's not http/https, then treat aURI as if This comment needs to be updated to include ftp:
Updated•8 years ago
|
Attachment #8741481 -
Flags: review?(dveditz) → review+
Assignee | ||
Comment 3•8 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #2) > What's the next scheme people are going to ask us to add? file:// perhaps? Maybe, but most importantly still is http and https. I don't have a strong opinion but I am fine with adding ftp for now. Updated the comment; carrying over r+ from dveditz.
Attachment #8741481 -
Attachment is obsolete: true
Attachment #8742134 -
Flags: review+
Assignee | ||
Updated•8 years ago
|
Keywords: checkin-needed
Comment 5•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/34e67475a707
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
status-firefox48:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
You need to log in
before you can comment on or make changes to this bug.
Description
•