Closed Bug 1277495 Opened 8 years ago Closed 5 years ago

require-sri-for violations should report the blocked subresource, not the document

Categories

(Core :: DOM: Security, defect, P3)

Product:
Core
Component:
DOM: Security
Type:
defect

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: freddy, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog])

Attachments

(1 file)

0001-Bug-1277495-CSP-require-sri-for-log-and-report-corre.patch
3.45 KB, patch
Details | Diff | Splinter Review 
      No description provided.
Freddy, can you please provide a link to the code so that someone picking up that bug has a starting point? Thanks!
Whiteboard: [domsecurity-backlog]
(In reply to Christoph Kerschbaumer [:ckerschb] from comment #1)
> Freddy, can you please provide a link to the code so that someone picking up
> that bug has a starting point? Thanks!

Sorry, I missed that you assigned it to yourself!
Status: NEW → ASSIGNED
Whiteboard: [domsecurity-backlog] → [domsecurity-active]
This work-in-progress patch gets both URLs (the blocked one as well as the document URL and passes it to logViolationReport).
Unfortunately logViolationReport() always sends a blocked-uri of 'self', which is not useful at all.

This bug needs a fixing of the CASE_CHECK_AND_REPORT macro, before it can be useful.
Priority: -- → P2
Comment 3 said logViolationReport, but the function in question is actually nsCSPContext:LogViolationDetails.
Status: ASSIGNED → NEW
Assignee: fbraun → nobody
Moving to p3 because no activity for at least 1 year(s).
See https://github.com/mozilla/bug-handling/blob/master/policy/triage-bugzilla.md#how-do-you-triage for more information
Priority: P2 → P3
Blocks: 1386214
Whiteboard: [domsecurity-active] → [domsecurity-backlog]

We've unimplemented require-sri-for

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: