Closed
Bug 604177
Opened 14 years ago
Closed 10 years ago
CSP violation report could leak sensitive information in blocked-uri
Categories
(Core :: DOM: Core & HTML, defect, P3)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
DUPLICATE
of bug 767778
People
(Reporter: bsterne, Unassigned)
References
(Blocks 1 open bug, )
Details
Say a site whitelists and includes an iframe from site-A which redirects through a third-party OAuth provider (or similar) which could contain an auth token in the URL. In these cases we would send this information in the report in the blocked-uri field. Perhaps it would be better to send the original-uri and a blocked-domain field to prevent leaking potentially private info.
Updated•10 years ago
|
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•