Open Bug 1876303 Opened 5 months ago Updated 4 months ago

Setting `Content-Security-Policy-Report-Only` header via `setAttribute` throws no error

Categories

(Core :: DOM: Security, enhancement, P3)

Product:
Core
Component:
DOM: Security
Type:
enhancement

Tracking

()

People

(Reporter: mbrodesser-Igalia, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog2])

E.g. https://jsfiddle.net/35yvpndq/2/

Throws an error with Chrome.

Spec: see the note at https://w3c.github.io/webappsec-csp/#cspro-header.

Didn't check whether it actually has an effect. Throwing would be clearer in any case.

Happens with Firefox 121.0.1 on Ubuntu.

Group: core-security → dom-core-security

I don't know if it has an effect (we definitely should check), but even in the worst case Firefox doesn't support report-to and requires same-origin for report-uri so you can't achieve the information leakage the restriction was intended to prevent.

I suspect we are catching it in the CSP part of the code, but that might be too deep to throw errors back to the DOM setAttribute() function.

Keywords: sec-low

report-to is currently being implemented in https://bugzilla.mozilla.org/show_bug.cgi?id=1391243.

I think this is a functional bug rather than a security bug. Anyone opposed to making this public?

I think this is a functional bug rather than a security bug. Anyone opposed to making this public?

Go ahead. It would be nice to report an error here. (It doesn't throw in the JS sense)
We explicitly only handle "Content-Security-Policy" in the <meta> code: https://searchfox.org/mozilla-central/rev/cee2c396081d950f9e3401113fb179999e404ab8/dom/html/HTMLMetaElement.cpp#90-113

Group: dom-core-security

The severity field is not set for this bug.
:freddy, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(fbraun)

We're not violating the spec: the spec says it shouldn't be supported and we don't support it. A console error message would be helpful for developers but we'll call it an enhancement because it's not required by the spec.

Severity: -- → S4
Type: defect → enhancement
Keywords: sec-low
Priority: -- → P3
Whiteboard: [domsecurity-backlog2]

I could see someone fixing this as a good first bug, where we log to the console when someone tries to add a CSP-RO without an HTTP header.

Flags: needinfo?(fbraun)
You need to log in before you can comment on or make changes to this bug.