Firefox consumes resource when numerous CSPs are given
Categories
(Core :: DOM: Security, enhancement)
Tracking
()
People
(Reporter: ive_jihwan, Unassigned, NeedInfo)
Details
Attachments
(1 file)
|
451 bytes,
text/plain
|
Details |
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36
Steps to reproduce:
Add about 20k Content Security Polices at single HTML document using both HTTP header and meta tag.
Actual results:
When single HTML page gives numerous policies at once, during the check the content whether passes CSP or not, Firefox consumes too many RAM and times while Chrome and Safari doesn't.
Expected results:
CSP violation should raised earlier/directly after it violates any of multiple policies when multiple policies are given. (As https://w3c.github.io/webappsec-csp/#multiple-policies )
|
||
Comment 1•3 years ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::DOM: Security' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.
|
||
Comment 2•3 years ago
|
||
The section of spec you referenced starts out (emphasis mine)
The above sections note that when multiple policies are present, each must be enforced or reported,
How can you report failures on each of them if you stop checking?
That would address the performance issue, but it wouldn't do anything about the RAM used to store the policies. Maybe Chrome has found a better data structure and we should look at that.
20K headers is of course ridiculous and in the real world performance on such a site doesn't matter. Is this difference detectable on any realistic configuration?
Leaning toward "wontfix" on this, but maybe we should ask for a clarification on the spec. Maybe the "or reported" part was intended to apply to "report-only" headers, and enforced headers are allowed to stop and not give a full set of violation events/reports.
|
|
||
Updated•3 years ago
|
Description
•