Content-Security-Policy report is incorrect (truncated)

RESOLVED WORKSFORME

Status

()

RESOLVED WORKSFORME
2 years ago
2 years ago

People

(Reporter: fdsc, Unassigned)

Tracking

51 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

2 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0
Build ID: 20170125094131

Steps to reproduce:

GET HTTP file http://huac.8vs.ru/csp-test.php

Content of the file:
<script type='text/javascript'>
alert('Скрипт действует! Хотя не должен');
</script>



with http response header
Content-Security-Policy: default-src 'none'; style-src 'self'; script-src 'self'; img-src 'self' data: mc.yandex.ru/watch/23496292; report-to csp; report-uri http://huac.8vs.ru/csp-report.php



Actual results:

The CSP report are truncated

{"csp-report":{"blocked-uri":"self","document-uri":"http://huac.8vs.ru/csp-test.php","line-number":1,"original-policy":"default-src 'none'; style-src http://huac.8vs.ru; script-src http://huac.8vs.ru; img-src http://huac.8vs.ru data: http://mc.yandex.ru/watch/23496292; report-uri http://huac.8vs.ru/csp-report.php","referrer":"","script-sample":"\nalert('Скрипт действует! Хотя не должен...","source-file":"http://huac.8vs.ru/csp-test.php","violated-directive":"scrip 


The issue occurs only if the script has Russian characters (probably any character for which code by the unicode with 2 bytes)


For example, correct CSP record if Russian symbols substituted with spaces
{
    "csp-report": 
    {
        "blocked-uri": "self",
        "document-uri": "http://huac.8vs.ru/csp-test.php",
        "line-number": 1,
        "original-policy": "default-src 'none'; style-src http://huac.8vs.ru; script-src http://huac.8vs.ru; img-src http://huac.8vs.ru data: http://mc.yandex.ru/watch/23496292; report-uri http://huac.8vs.ru/csp-report.php",
        "referrer": "",
        "script-sample": "\nalert('                                ...",
        "source-file": "http://huac.8vs.ru/csp-test.php",
        "violated-directive": "script-src http://huac.8vs.ru"
    }
} 


Expected results:

CSP report must be correct
(Reporter)

Comment 1

2 years ago
It seems that the bug has already been fixed in the FireFox DE
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → WORKSFORME
(Reporter)

Updated

2 years ago
Component: Security → DOM: Security
You need to log in before you can comment on or make changes to this bug.