Closed
Bug 1342716
Opened 7 years ago
Closed 7 years ago
Content-Security-Policy report is incorrect (truncated)
Categories
(Core :: DOM: Security, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: fdsc, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0 Build ID: 20170125094131 Steps to reproduce: GET HTTP file http://huac.8vs.ru/csp-test.php Content of the file: <script type='text/javascript'> alert('Скрипт действует! Хотя не должен'); </script> with http response header Content-Security-Policy: default-src 'none'; style-src 'self'; script-src 'self'; img-src 'self' data: mc.yandex.ru/watch/23496292; report-to csp; report-uri http://huac.8vs.ru/csp-report.php Actual results: The CSP report are truncated {"csp-report":{"blocked-uri":"self","document-uri":"http://huac.8vs.ru/csp-test.php","line-number":1,"original-policy":"default-src 'none'; style-src http://huac.8vs.ru; script-src http://huac.8vs.ru; img-src http://huac.8vs.ru data: http://mc.yandex.ru/watch/23496292; report-uri http://huac.8vs.ru/csp-report.php","referrer":"","script-sample":"\nalert('Скрипт действует! Хотя не должен...","source-file":"http://huac.8vs.ru/csp-test.php","violated-directive":"scrip The issue occurs only if the script has Russian characters (probably any character for which code by the unicode with 2 bytes) For example, correct CSP record if Russian symbols substituted with spaces { "csp-report": { "blocked-uri": "self", "document-uri": "http://huac.8vs.ru/csp-test.php", "line-number": 1, "original-policy": "default-src 'none'; style-src http://huac.8vs.ru; script-src http://huac.8vs.ru; img-src http://huac.8vs.ru data: http://mc.yandex.ru/watch/23496292; report-uri http://huac.8vs.ru/csp-report.php", "referrer": "", "script-sample": "\nalert(' ...", "source-file": "http://huac.8vs.ru/csp-test.php", "violated-directive": "script-src http://huac.8vs.ru" } } Expected results: CSP report must be correct
It seems that the bug has already been fixed in the FireFox DE
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•