Setting `Content-Security-Policy-Report-Only` header via `setAttribute` throws no error
Categories
(Core :: DOM: Security, enhancement, P3)
Tracking
()
People
(Reporter: mbrodesser-Igalia, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-backlog2])
E.g. https://jsfiddle.net/35yvpndq/2/
Throws an error with Chrome.
Spec: see the note at https://w3c.github.io/webappsec-csp/#cspro-header.
Didn't check whether it actually has an effect. Throwing would be clearer in any case.
Happens with Firefox 121.0.1 on Ubuntu.
Updated•5 months ago
|
Comment 1•5 months ago
|
||
I don't know if it has an effect (we definitely should check), but even in the worst case Firefox doesn't support report-to and requires same-origin for report-uri so you can't achieve the information leakage the restriction was intended to prevent.
I suspect we are catching it in the CSP part of the code, but that might be too deep to throw errors back to the DOM setAttribute() function.
Reporter | ||
Comment 2•5 months ago
|
||
report-to
is currently being implemented in https://bugzilla.mozilla.org/show_bug.cgi?id=1391243.
Comment 3•5 months ago
|
||
I think this is a functional bug rather than a security bug. Anyone opposed to making this public?
Comment 4•5 months ago
|
||
I think this is a functional bug rather than a security bug. Anyone opposed to making this public?
Go ahead. It would be nice to report an error here. (It doesn't throw in the JS sense)
We explicitly only handle "Content-Security-Policy"
in the <meta> code: https://searchfox.org/mozilla-central/rev/cee2c396081d950f9e3401113fb179999e404ab8/dom/html/HTMLMetaElement.cpp#90-113
Updated•5 months ago
|
Updated•5 months ago
|
Comment 5•5 months ago
|
||
The severity field is not set for this bug.
:freddy, could you have a look please?
For more information, please visit BugBot documentation.
Comment 6•4 months ago
|
||
We're not violating the spec: the spec says it shouldn't be supported and we don't support it. A console error message would be helpful for developers but we'll call it an enhancement because it's not required by the spec.
Comment 7•4 months ago
|
||
I could see someone fixing this as a good first bug, where we log to the console when someone tries to add a CSP-RO without an HTTP header.
Description
•