Closed Bug 1439425 Opened 6 years ago Closed 6 years ago

Content Security Policy: Couldn’t process unknown directive ‘’

Categories

(Core :: DOM: Security, defect, P2)

58 Branch
defect

Tracking

()

RESOLVED FIXED
mozilla61
Tracking Status
firefox61 --- fixed

People

(Reporter: bugzilla, Assigned: jkt)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-active])

Attachments

(1 file)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36

Steps to reproduce:

Create a CSP that only contains ";". Here is the Nginx config:

    add_header Content-Security-Policy ";" always;



Actual results:

Console error message:

Content Security Policy: Couldn’t process unknown directive ‘’


Expected results:

Either a more useful warning, like 'the policy is invalid/empty', or no warning which is Chrome's behaviour.
Blocks: CSP
Component: Untriaged → Security
Product: Firefox → Core
Assignee: nobody → jkt
Some CSPParser tests are failing on try, looking into why also a http-equiv wpt test too: https://treeherder.mozilla.org/#/jobs?repo=try&revision=afb13e7e08de14b31f0cbeb303545062fc4b247b&selectedJob=166387326
Comment on attachment 8956690 [details]
Bug 1439425 - Ignore empty CSP directives.

https://reviewboard.mozilla.org/r/225650/#review231666

a little hacky but good enough for me. thanks for picking this up jkt!
Attachment #8956690 - Flags: review?(ckerschb) → review+
:ckerschb reviewboard still is giving me an r+. However I also made sure the value is empty as it was failing some tests and to make it less hacky. I'd appreciate you to check it over before I land it.
Thanks!
Flags: needinfo?(ckerschb)
(In reply to Jonathan Kingston [:jkt] (on PTO) from comment #5)
> :ckerschb reviewboard still is giving me an r+. However I also made sure the
> value is empty as it was failing some tests and to make it less hacky. I'd
> appreciate you to check it over before I land it.


Where to we actually log to the console now? Shouldn't that happen here?
https://hg.mozilla.org/try/rev/a91e98bbc53c172cfee976bfa6c899fe4439e52b#l1.12
Flags: needinfo?(ckerschb) → needinfo?(jkt)
Flags: needinfo?(jkt) → needinfo?(ckerschb)
Sorry, I didn't understand.

I moved the check into a function call to make it cleaner. I also moved the code into the directive code which is earlier in the call stack as it involves both key and value data which seemed to belong there rather than directive name.
I don't think we should be ever logging for invalid consoles right?
(In reply to Jonathan Kingston [:jkt] (on PTO) from comment #8)
> Sorry, I didn't understand.
> 
> I moved the check into a function call to make it cleaner. I also moved the
> code into the directive code which is earlier in the call stack as it
> involves both key and value data which seemed to belong there rather than
> directive name.
> I don't think we should be ever logging for invalid consoles right?

Ah, that makes the most sense to me. The check happens earlier so we are not logging to the console at all. thanks!

r+
Flags: needinfo?(ckerschb)
Component: Security → DOM: Security
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Priority: -- → P2
Whiteboard: [domsecurity-active]
Pushed by jkingston@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/cfe09d016e77
Ignore empty CSP directives. r=ckerschb
https://hg.mozilla.org/mozilla-central/rev/cfe09d016e77
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
You need to log in before you can comment on or make changes to this bug.