Closed Bug 1418236 Opened 7 years ago Closed 6 years ago

CSP violation event target

Categories

(Core :: DOM: Security, enhancement, P3)

Product:
Core
Component:
DOM: Security
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla63
Tracking Flags:
Tracking Status
firefox63 --- fixed

People

(Reporter: cfu, Assigned: baku)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog1] [domsecurity-active])

Attachments

(1 file, 1 obsolete file)

csp_target.patch
51.39 KB, patch
ckerschb
: review+
Details | Diff | Splinter Review 
In bug 1037335, we introduced a basic implementation of CSP violation event, which is fired to the policy's loading document.  We are going to update how the event target is determined according to the latest standard.

https://w3c.github.io/webappsec-csp/#report-violation
Blocks: 1037335
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]
No longer blocks: 1037335
Attached patch csp_target.patch (obsolete) — Splinter Review 
Still waiting for a full green result...
Assignee: nobody → amarchesini
Status: NEW → ASSIGNED
Whiteboard: [domsecurity-backlog1] → [domsecurity-backlog1] [domsecurity-active]
Comment on attachment 8989805 [details] [diff] [review]
csp_target.patch

This doesn't fix a corner case:

var iframe = document.createElement('iframe');
document.body.appendChild(iframe);
iframe.src = "javascript:something";

in theory, iframe should be the target for the CSP violation event, but we still send events to the document.
I know why, but I need to talk with bz to find the correct way to fix this issue.
Follow up.
Attachment #8989805 - Flags: review?(ckerschb)
(In reply to Andrea Marchesini [:baku] from comment #2)
> Comment on attachment 8989805 [details] [diff] [review]
> csp_target.patch
> 
> This doesn't fix a corner case:
> 
> var iframe = document.createElement('iframe');
> document.body.appendChild(iframe);
> iframe.src = "javascript:something";
> 
> in theory, iframe should be the target for the CSP violation event, but we
> still send events to the document.
> I know why, but I need to talk with bz to find the correct way to fix this
> issue.
> Follow up.

As discussed on IRC, the follow up is Bug 1473630.
Blocks: 1473630
Attached patch csp_target.patchSplinter Review 

        Attachment #8989805 -
        Attachment is obsolete: true

        Attachment #8989805 -
        Flags: review?(ckerschb)

        Attachment #8990985 -
        Flags: review?(ckerschb)

    
    

    
  
Comment on attachment 8990985 [details] [diff] [review]
csp_target.patch

Review of attachment 8990985 [details] [diff] [review]:
-----------------------------------------------------------------

Passing the triggeringElement around sounds good to me. r=me

PS: Probably you want to update the commit message.

        Attachment #8990985 -
        Flags: review?(ckerschb) → review+

    
    

    
  
Pushed by amarchesini@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/1b3143e4ec83
Correct EventTarget for CSP violation events, r=ckerschb

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/1b3143e4ec83
Status: ASSIGNED → RESOLVED
Closed: 6 years ago

          status-firefox63:
          --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla63

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: