Closed Bug 1342716 Opened 8 years ago Closed 8 years ago

Content-Security-Policy report is incorrect (truncated)

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Version:
51 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: fdsc, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0 Build ID: 20170125094131 Steps to reproduce: GET HTTP file http://huac.8vs.ru/csp-test.php Content of the file: <script type='text/javascript'> alert('Скрипт действует! Хотя не должен'); </script> with http response header Content-Security-Policy: default-src 'none'; style-src 'self'; script-src 'self'; img-src 'self' data: mc.yandex.ru/watch/23496292; report-to csp; report-uri http://huac.8vs.ru/csp-report.php Actual results: The CSP report are truncated {"csp-report":{"blocked-uri":"self","document-uri":"http://huac.8vs.ru/csp-test.php","line-number":1,"original-policy":"default-src 'none'; style-src http://huac.8vs.ru; script-src http://huac.8vs.ru; img-src http://huac.8vs.ru data: http://mc.yandex.ru/watch/23496292; report-uri http://huac.8vs.ru/csp-report.php","referrer":"","script-sample":"\nalert('Скрипт действует! Хотя не должен...","source-file":"http://huac.8vs.ru/csp-test.php","violated-directive":"scrip The issue occurs only if the script has Russian characters (probably any character for which code by the unicode with 2 bytes) For example, correct CSP record if Russian symbols substituted with spaces { "csp-report": { "blocked-uri": "self", "document-uri": "http://huac.8vs.ru/csp-test.php", "line-number": 1, "original-policy": "default-src 'none'; style-src http://huac.8vs.ru; script-src http://huac.8vs.ru; img-src http://huac.8vs.ru data: http://mc.yandex.ru/watch/23496292; report-uri http://huac.8vs.ru/csp-report.php", "referrer": "", "script-sample": "\nalert(' ...", "source-file": "http://huac.8vs.ru/csp-test.php", "violated-directive": "script-src http://huac.8vs.ru" } } Expected results: CSP report must be correct
It seems that the bug has already been fixed in the FireFox DE
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → WORKSFORME
Component: Security → DOM: Security
You need to log in before you can comment on or make changes to this bug.