Closed
Bug 1418236
Opened 7 years ago
Closed 6 years ago
CSP violation event target
Categories
(Core :: DOM: Security, enhancement, P3)
Core
DOM: Security
Tracking
()
RESOLVED
FIXED
mozilla63
Tracking | Status | |
---|---|---|
firefox63 | --- | fixed |
People
(Reporter: cfu, Assigned: baku)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-backlog1] [domsecurity-active])
Attachments
(1 file, 1 obsolete file)
51.39 KB,
patch
|
ckerschb
:
review+
|
Details | Diff | Splinter Review |
In bug 1037335, we introduced a basic implementation of CSP violation event, which is fired to the policy's loading document. We are going to update how the event target is determined according to the latest standard. https://w3c.github.io/webappsec-csp/#report-violation
Updated•7 years ago
|
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]
Assignee | ||
Comment 1•6 years ago
|
||
Still waiting for a full green result...
Assignee: nobody → amarchesini
Assignee | ||
Updated•6 years ago
|
Status: NEW → ASSIGNED
Whiteboard: [domsecurity-backlog1] → [domsecurity-backlog1] [domsecurity-active]
Assignee | ||
Comment 2•6 years ago
|
||
Comment on attachment 8989805 [details] [diff] [review] csp_target.patch This doesn't fix a corner case: var iframe = document.createElement('iframe'); document.body.appendChild(iframe); iframe.src = "javascript:something"; in theory, iframe should be the target for the CSP violation event, but we still send events to the document. I know why, but I need to talk with bz to find the correct way to fix this issue. Follow up.
Attachment #8989805 -
Flags: review?(ckerschb)
Comment 3•6 years ago
|
||
(In reply to Andrea Marchesini [:baku] from comment #2) > Comment on attachment 8989805 [details] [diff] [review] > csp_target.patch > > This doesn't fix a corner case: > > var iframe = document.createElement('iframe'); > document.body.appendChild(iframe); > iframe.src = "javascript:something"; > > in theory, iframe should be the target for the CSP violation event, but we > still send events to the document. > I know why, but I need to talk with bz to find the correct way to fix this > issue. > Follow up. As discussed on IRC, the follow up is Bug 1473630.
Blocks: 1473630
Assignee | ||
Comment 4•6 years ago
|
||
Attachment #8989805 -
Attachment is obsolete: true
Attachment #8989805 -
Flags: review?(ckerschb)
Attachment #8990985 -
Flags: review?(ckerschb)
Comment 5•6 years ago
|
||
Comment on attachment 8990985 [details] [diff] [review] csp_target.patch Review of attachment 8990985 [details] [diff] [review]: ----------------------------------------------------------------- Passing the triggeringElement around sounds good to me. r=me PS: Probably you want to update the commit message.
Attachment #8990985 -
Flags: review?(ckerschb) → review+
Pushed by amarchesini@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/1b3143e4ec83 Correct EventTarget for CSP violation events, r=ckerschb
Comment 7•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/1b3143e4ec83
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox63:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
You need to log in
before you can comment on or make changes to this bug.
Description
•