1603709 - CSP 'report-sample' ignored/rejected when 'strict-dynamic' is used

Status: RESOLVED FIXED

(Core :: DOM: Security, defect, P3)

Description

[Emanuele Uliana]

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:73.0) Gecko/20100101 Firefox/73.0

Steps to reproduce:

Visit any website that serves a CSP such that:

• script-src is included
• script-src includes both 'strict-dynamic' and 'report-sample'

(e.g., https://bugs.chromium.org)

Then check the browser console.

Actual results:

The following warning message appears on the browser console:

Content Security Policy: Ignoring “'report-sample'” within script-src: ‘strict-dynamic’ specified

While CSP violation reports are sent regardless of 'report-sample', the bug lies in the fact that the browser thinks 'report-sample' is part of a whitelist to discard due to 'strict-dynamic'

Expected results:

'report-sample' should be recognized as a CSP keyword, rather than part of a whitelist.

Comment 1

[BugBot [:suhaib / :marco/ :calixte]]

Bugbug thinks this bug should belong to this component, but please revert this change in case of error.

Comment 2

[Christoph Kerschbaumer [:ckerschb]]

The problem is that our CSP parser ignores all srcs except hashes and nonces if strict-dynamic is used. Apparently we are not making an exception for report-sample - we should add that exception in our parser somewhere around here:
https://searchfox.org/mozilla-central/rev/c61720a7d0c094d772059f9d6a7844eb7619f107/dom/security/nsCSPParser.cpp#1065

Comment 3

[Jonathan Kingston [:jkt] he/him]

Attachment: Bug 1603709 - Add 'report-sample' to CSP exemptions to invalidation when using 'strict-dynamic' r?ckerschb

Comment 4

[Pulsebot]

Pushed by jkingston@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/98db4938529c
Add 'report-sample' to CSP exemptions to invalidation when using 'strict-dynamic' r=ckerschb

Comment 5

[Arthur Iakab [arthur_iakab]]

https://hg.mozilla.org/mozilla-central/rev/98db4938529c