Closed
Bug 1342716
Opened 8 years ago
Closed 8 years ago
Content-Security-Policy report is incorrect (truncated)
Categories
(Core :: DOM: Security, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: fdsc, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0
Build ID: 20170125094131
Steps to reproduce:
GET HTTP file http://huac.8vs.ru/csp-test.php
Content of the file:
<script type='text/javascript'>
alert('Скрипт действует! Хотя не должен');
</script>
with http response header
Content-Security-Policy: default-src 'none'; style-src 'self'; script-src 'self'; img-src 'self' data: mc.yandex.ru/watch/23496292; report-to csp; report-uri http://huac.8vs.ru/csp-report.php
Actual results:
The CSP report are truncated
{"csp-report":{"blocked-uri":"self","document-uri":"http://huac.8vs.ru/csp-test.php","line-number":1,"original-policy":"default-src 'none'; style-src http://huac.8vs.ru; script-src http://huac.8vs.ru; img-src http://huac.8vs.ru data: http://mc.yandex.ru/watch/23496292; report-uri http://huac.8vs.ru/csp-report.php","referrer":"","script-sample":"\nalert('Скрипт действует! Хотя не должен...","source-file":"http://huac.8vs.ru/csp-test.php","violated-directive":"scrip
The issue occurs only if the script has Russian characters (probably any character for which code by the unicode with 2 bytes)
For example, correct CSP record if Russian symbols substituted with spaces
{
"csp-report":
{
"blocked-uri": "self",
"document-uri": "http://huac.8vs.ru/csp-test.php",
"line-number": 1,
"original-policy": "default-src 'none'; style-src http://huac.8vs.ru; script-src http://huac.8vs.ru; img-src http://huac.8vs.ru data: http://mc.yandex.ru/watch/23496292; report-uri http://huac.8vs.ru/csp-report.php",
"referrer": "",
"script-sample": "\nalert(' ...",
"source-file": "http://huac.8vs.ru/csp-test.php",
"violated-directive": "script-src http://huac.8vs.ru"
}
}
Expected results:
CSP report must be correct
It seems that the bug has already been fixed in the FireFox DE
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•