Open Bug 1345886 Opened 7 years ago Updated 2 years ago

CSP: Include a script sample of the offending script also for event-handlers

Tracking

()

Status:

UNCONFIRMED

People

(Reporter: lwe, Unassigned, Mentored)

Details

(Whiteboard: [domsecurity-backlog1])

Lukas Weichselbaum

Reporter

Description

•

7 years ago

The script-sample currently provided in CSP reports of violations caused by event-handlers is too generic (e.g. "onclick attribute on DIV element").

It would be very valuable for developers, if the script-sample field would include the offending script also for event-handlers (like it does for inline scripts).
Currently it is not possible to distinguish between event-handler script violations from extensions and the site itself.
So we end up with a high number of violations were we just don't have the information we'd need to classify them as noise/real...

E.g. <div onclick="foo('bar')"> could set script-sample in the CSP report to "foo('bar')"

See also: https://github.com/w3c/webappsec-csp/issues/119

YF (Yang)

Updated

•

7 years ago

Component: Security → DOM: Security

Product: Firefox → Core

Christoph Kerschbaumer [:ckerschb]

Comment 1

•

7 years ago

Thanks for reporting Lukas, and while I agree that that would be valuable that bug has to go to the backlog for now :-(

Priority: -- → P3

Whiteboard: [domsecurity-backlog1]

BMO Automation

Updated

•

2 years ago

Severity: normal → S3

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

CSP: Include a script sample of the offending script also for event-handlers

Categories

(Core :: DOM: Security, enhancement, P3)

Tracking

()

People

(Reporter: lwe, Unassigned, Mentored)

References

Details

(Whiteboard: [domsecurity-backlog1])

Crash Data

Security

(public)

User Story

Description

Updated

Comment 1

Updated