Open Bug 1947457 Opened 1 month ago Updated 1 month ago

CSP-report document-uri is wrong

Categories

(Core :: DOM: Security, defect, P4)

Product:
Core
Component:
DOM: Security
Version:
Firefox 135
Type:
defect

Tracking

()

People

(Reporter: juha.hamalainen, Unassigned)

References

(Blocks 1 open bug)

Details

Steps to reproduce:

Go to a site where CSP or CSPRO is in use and report-uri defined.

Actual results:

When CSP violation is triggered, csp-report's document-uri is correct on first time, but if you navigate to another sub-page on that page and CSP violation happens again, csp-report's document-uri value points still to the first page.

Expected results:

Document-uri should have matched the uri where the violation happened. Shouldn't it be equal to document.documentURI which is shown also in browser's URL-bar? That's how it works on Chrome.

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Security' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → DOM: Security
Product: Firefox → Core

Tom, can you take a look?

Severity: -- → S4
Flags: needinfo?(tschuster)
Priority: -- → P4

We use our old problematic mSelfURI to initialize the document-uri, which is just bound to cause issues like this. I think we could try do something to paper over this specific case however, by trying to retrieve the URL from mLoadingContext.

It still would be good to have a real test case for this. I didn't really expect the mSelfURI to be wrong for "simple" navigations.

Blocks: CSP
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(tschuster)

but if you navigate to another sub-page on that page and CSP violation happens again, csp-report's document-uri value points still to the first page.

Given the description, I suppose this may have something to do with e.g., pushState

You need to log in before you can comment on or make changes to this bug.