Closed Bug 1476280 Opened 6 years ago Closed 6 years ago

SecurityPolicyViolationEvent.blockedURI should contain the original URL in case of redirects

Categories

(Core :: DOM: Security, enhancement)

Product:
Core
Component:
DOM: Security
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla63
Tracking Flags:
Tracking Status
firefox63 --- fixed

People

(Reporter: baku, Assigned: baku)

References

Details

(Whiteboard: [domsecurity-backlog1] [domsecurity-active][wptsync upstream])

Attachments

(2 files)

part 1 - redirect
22.60 KB, patch
ckerschb
: review+
Details | Diff | Splinter Review
part 2 - no cache
7.03 KB, patch
ckerschb
: review+
Details | Diff | Splinter Review 
We current report the final URL. This doesn't follow the CSP3 spec.
Whiteboard: [domsecurity-backlog1] [domsecurity-active]
Status: NEW → ASSIGNED

        Attachment #8992632 -
        Flags: review?(ckerschb)

    
    

    
  


  

        Attachment #8992634 -
        Flags: review?(ckerschb)

    
    

    
  
Comment on attachment 8992634 [details] [diff] [review]
part 2 - no cache

Review of attachment 8992634 [details] [diff] [review]:
-----------------------------------------------------------------

r+ on that cache removal which has become outdated for quite some time now and doesn't really buy us anything. thanks!

        Attachment #8992634 -
        Flags: review?(ckerschb) → review+

    
    

    
  
Comment on attachment 8992632 [details] [diff] [review]
part 1 - redirect

Review of attachment 8992632 [details] [diff] [review]:
-----------------------------------------------------------------

please incorporate my nit and r=me

::: dom/security/nsCSPContext.cpp
@@ +95,5 @@
> +BlockedContentSourceToString(nsCSPContext::BlockedContentSource aSource,
> +                             nsACString& aString)
> +{
> +  switch (aSource) {
> +    case nsCSPContext::BlockedContentSource::eUnknown:

I think it would be better to move eUnkown to the bottom with a fall through to default: to make sure in case someone extends the enum but does not update that code correctly, it fails/truncates by default.

        Attachment #8992632 -
        Flags: review?(ckerschb) → review+

    
    

    
  
Pushed by amarchesini@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/11e3d3bd2328
SecurityPolicyViolationEvent.blockedURI should contain the original URL in case of redirects, r=ckerschb

    
    

    
  
The cache patch is going to land in a separate bug. See bug 1476592
Blocks: 1476592

    
    

    
  
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/12062 for changes under testing/web-platform/tests
Whiteboard: [domsecurity-backlog1] [domsecurity-active] → [domsecurity-backlog1] [domsecurity-active][wptsync upstream]

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/11e3d3bd2328
Status: ASSIGNED → RESOLVED
Closed: 6 years ago

          status-firefox63:
          --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla63

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: