Open Bug 1562908 Opened 5 years ago Updated 5 days ago

Provide content security policy hash and CSP header value in error message

Categories

(Core :: DOM: Security, enhancement, P3)

Product:
Core
Component:
DOM: Security
Version:
68 Branch
Type:
enhancement

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: rob, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog1])

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Firefox/68.0

Steps to reproduce:

Request a page which tries to add a <style> element while CSP policy is set to not allow.

Actual results:

Developer console correctly shows an error message.
"Content Security Policy: The page’s settings blocked the loading of a resource at inline (“style-src”)."

Expected results:

Like in Chrome I would have liked to see the sha hash that I could use to add to my CSP header and possibly the current CSP header values that are set by the server.

Type: defect → enhancement
Component: Untriaged → DOM: Security
Product: Firefox → Core

Indeed, we are working on a variety of improvements around CSP console messages within Bug 1242016. I am adding this bug as a dependency so it will show up in triage meetings. Putting in the backlog for now.

Blocks: csp-console-logging
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]

Baku, would this be a low hanging fruit for security? I assume the backend already generates the hash or has the hashing function available when logging the CSP warning?

Flags: needinfo?(amarchesini)
Severity: normal → S3
Severity: normal → S3
Flags: needinfo?(amarchesini)
You need to log in before you can comment on or make changes to this bug.