Closed Bug 1418236 Opened 2 years ago Closed Last year

CSP violation event target

Categories

(Core :: DOM: Security, enhancement, P3)

enhancement

Tracking

()

RESOLVED FIXED
mozilla63
Tracking Status
firefox63 --- fixed

People

(Reporter: cfu, Assigned: baku)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog1] [domsecurity-active])

Attachments

(1 file, 1 obsolete file)

In bug 1037335, we introduced a basic implementation of CSP violation event, which is fired to the policy's loading document.  We are going to update how the event target is determined according to the latest standard.

https://w3c.github.io/webappsec-csp/#report-violation
Blocks: 1037335
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]
No longer blocks: 1037335
Attached patch csp_target.patch (obsolete) — Splinter Review
Still waiting for a full green result...
Assignee: nobody → amarchesini
Status: NEW → ASSIGNED
Whiteboard: [domsecurity-backlog1] → [domsecurity-backlog1] [domsecurity-active]
Comment on attachment 8989805 [details] [diff] [review]
csp_target.patch

This doesn't fix a corner case:

var iframe = document.createElement('iframe');
document.body.appendChild(iframe);
iframe.src = "javascript:something";

in theory, iframe should be the target for the CSP violation event, but we still send events to the document.
I know why, but I need to talk with bz to find the correct way to fix this issue.
Follow up.
Attachment #8989805 - Flags: review?(ckerschb)
(In reply to Andrea Marchesini [:baku] from comment #2)
> Comment on attachment 8989805 [details] [diff] [review]
> csp_target.patch
> 
> This doesn't fix a corner case:
> 
> var iframe = document.createElement('iframe');
> document.body.appendChild(iframe);
> iframe.src = "javascript:something";
> 
> in theory, iframe should be the target for the CSP violation event, but we
> still send events to the document.
> I know why, but I need to talk with bz to find the correct way to fix this
> issue.
> Follow up.

As discussed on IRC, the follow up is Bug 1473630.
Blocks: 1473630
Attached patch csp_target.patchSplinter Review
Attachment #8989805 - Attachment is obsolete: true
Attachment #8989805 - Flags: review?(ckerschb)
Attachment #8990985 - Flags: review?(ckerschb)
Comment on attachment 8990985 [details] [diff] [review]
csp_target.patch

Review of attachment 8990985 [details] [diff] [review]:
-----------------------------------------------------------------

Passing the triggeringElement around sounds good to me. r=me

PS: Probably you want to update the commit message.
Attachment #8990985 - Flags: review?(ckerschb) → review+
Pushed by amarchesini@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/1b3143e4ec83
Correct EventTarget for CSP violation events, r=ckerschb
https://hg.mozilla.org/mozilla-central/rev/1b3143e4ec83
Status: ASSIGNED → RESOLVED
Closed: Last year
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
You need to log in before you can comment on or make changes to this bug.