Open Bug 1409714 Opened 8 years ago Updated 3 years ago

Need an option to disable the CSP, PKP (and other future) reports

Categories

(Core :: DOM: Security, enhancement, P3)

Product:
Core
Component:
DOM: Security
Version:
56 Branch
Type:
enhancement

Tracking

()

People

(Reporter: zihaf, Unassigned)

Details

(Whiteboard: [domsecurity-backlog])

User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0 Build ID: 20100101 Steps to reproduce: Initiate a situation for CSP or PKP report to trigger. Actual results: Reports happen as designed to. Expected results: CSP and PKP reports could be specially handcrafted by ad and tracking sites to leak information in case cookies and other usual means are disabled. I'd like to have control over what, when and to where my browser is sending information, but currently I can't find a way to disable those reports.
Component: Untriaged → DOM: Security
Product: Firefox → Core
I suppose a master switch for disabling them all would be OK. I wouldn't want to allow fine-grained ability to turn off reports from this service but not that one. (We do have a pref to disable the features though -- CSP and PKP can both be disabled entirely.) Tom: is this in any way interesting as part of the "resistFingerprinting" work? Frankly I think this is a stupid way to track someone (if you can make this work you can probably tracking them more directly) but maybe I'm not being creative enough.
Severity: normal → enhancement
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(tom)
Priority: -- → P3
Whiteboard: [domsecurity-backlog]
We don't send PKP reports yet, that's Bug 1091176 I'm not sure I understand the exact concern or scenario behind wanting to disable CSP or PKP reports, but I can appreciate the desire to be able to control it. I don't think this is related to antifingerprinting though. It does however affect First Party Isolation. When FPI is enabled, an ad network that is a third party on a.com should not be able to store persistent HSTS, CSP, or HPKP data that affects its behavior when it is a third party on b.com. If that is not the case we have a serious bug in FPI.
Flags: needinfo?(tom)
@dveditz I agree, a master switch to enable/disable all these reports would be fine. Can you please tell me the name of this pref you mentioned? @tjr > We don't send PKP reports yet, that's Bug 1091176 My bad: I had checked only the CSP reports and was too lazy to check the PSP (assumed it would work), good to know it doesn't work actually. And I totally agree with your statement about the FPI and HSTS, CSP, HPKP, etc. isolation.
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.