CSP 'report-sample' ignored/rejected when 'strict-dynamic' is used
Categories
(Core :: DOM: Security, defect, P3)
Tracking
()
Tracking | Status | |
---|---|---|
firefox73 | --- | fixed |
People
(Reporter: emanuele.uliana.90, Assigned: jkt)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-backlog1])
Attachments
(1 file)
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:73.0) Gecko/20100101 Firefox/73.0
Steps to reproduce:
Visit any website that serves a CSP such that:
- script-src is included
- script-src includes both 'strict-dynamic' and 'report-sample'
(e.g., https://bugs.chromium.org)
Then check the browser console.
Actual results:
The following warning message appears on the browser console:
Content Security Policy: Ignoring “'report-sample'” within script-src: ‘strict-dynamic’ specified
While CSP violation reports are sent regardless of 'report-sample', the bug lies in the fact that the browser thinks 'report-sample' is part of a whitelist to discard due to 'strict-dynamic'
Expected results:
'report-sample' should be recognized as a CSP keyword, rather than part of a whitelist.
Comment 1•4 years ago
|
||
Bugbug thinks this bug should belong to this component, but please revert this change in case of error.
Updated•4 years ago
|
Comment 2•4 years ago
|
||
The problem is that our CSP parser ignores all srcs except hashes and nonces if strict-dynamic is used. Apparently we are not making an exception for report-sample - we should add that exception in our parser somewhere around here:
https://searchfox.org/mozilla-central/rev/c61720a7d0c094d772059f9d6a7844eb7619f107/dom/security/nsCSPParser.cpp#1065
Assignee | ||
Comment 3•4 years ago
|
||
Updated•4 years ago
|
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Updated•4 years ago
|
Pushed by jkingston@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/98db4938529c Add 'report-sample' to CSP exemptions to invalidation when using 'strict-dynamic' r=ckerschb
Comment 5•4 years ago
|
||
bugherder |
Description
•