Open Bug 1639096 Opened 4 years ago Updated 4 years ago

Maybe to verbose warning about the usage of script-dynamic by included remote sites

Categories

(Core :: DOM: Security, enhancement, P3)

Product:
Core
Component:
DOM: Security
Version:
75 Branch
Type:
enhancement

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: tobias.zulauf, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog1])

Attachments

(1 file)

This is a screenshot that shows the message and the corresponding
232.25 KB, image/png
Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36

Steps to reproduce:

Please go to the joomla.org home page and check the browser console with Firefox and Chrome.

I'm running version 75 and it claims to to up-to-date right now.

Additional info
The main site of joomla.org sets this Content-Secuurity-Policy:

default-src 'self'; script-src 'self' 'unsafe-inline' https://.google-analytics.com https://.googletagmanager.com https://.googleapis.com https://.gstatic.com https://.google.com https://.joomla.org https://.pingdom.net https://.googleapis.com https://.doubleclick.net https://.amazon-adsystem.com https://completion.amazon.com; style-src 'self' 'unsafe-inline' https://.joomla.org https://fonts.googleapis.com; connect-src 'self' https://.joomla.org https://.pingdom.net https://.doubleclick.net https://.google-analytics.com; frame-src 'self' https://.google.com https://www.googletagmanager.com https://www.youtube.com https://www.youtube-nocookie.com https://www.slideshare.net; font-src 'self' https://fonts.gstatic.com https://.joomla.org; img-src 'self' data: https://.google-analytics.com https://.googletagmanager.com https://.joomla.org https://.pingdom.net https://.doubleclick.net https://.gstatic.com https://.google.com https://.googleapis.com https://shield.sitelock.com https://img.youtube.com https://i1.ytimg.com https://i.ytimg.com https://i9.ytimg.com https://s.ytimg.com https://.amazon-adsystem.com https://.ssl-images-amazon.com https://.assoc-amazon.com https://opensourcematters.org https://.opensourcematters.org; media-src 'self' https://.googlevideo.com; frame-ancestors 'self'; report-uri https://joomla.report-uri.com/r/t/csp/enforce

Please note that we don't set script-dynamic ourself.

Actual results:

In Firefox we get warnings about the usage of script-dynamic where we (main document) don't use script-dynamic.

The only site that includes script-dynamic is the google anchor service.

Expected results:

It would be great when the warning could be extended to mention the document that this message is coming from so it is clear to the person who gets that report that this warning is not always about the main document but as in this case about an remote site that we include.

Bugbug thinks this bug should belong to this component, but please revert this change in case of error.

Component: Untriaged → Audio/Video: Playback
Product: Firefox → Core
Component: Audio/Video: Playback → DOM: Security

Harald, is there an option that we can cluster those error messages together so Firefox CSP warning gets less verbose?

Flags: needinfo?(hkirschner)

We have that on file in bug 1525624 and would need your help to do it. You can see the patches that grouped samesite cookies for reference in bug 1622306.

Flags: needinfo?(hkirschner)
See Also: → 1525624
Blocks: csp-w3c-3
Severity: -- → S3
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: