Closed Bug 604177 Opened 14 years ago Closed 10 years ago

CSP violation report could leak sensitive information in blocked-uri

Tracking

()

Status:

RESOLVED DUPLICATE of bug 767778

People

(Reporter: bsterne, Unassigned)

References

(Blocks 1 open bug,
URL
)

Details

Brandon Sterne (:bsterne)

Reporter

Description

•

14 years ago

Say a site whitelists and includes an iframe from site-A which redirects through a third-party OAuth provider (or similar) which could contain an auth token in the URL.  In these cases we would send this information in the report in the blocked-uri field.

Perhaps it would be better to send the original-uri and a blocked-domain field to prevent leaking potentially private info.

Sid Stamm [:geekboy or :sstamm]

Comment 1

•

12 years ago

Related to bug 767778.

Priority: -- → P3

Sid Stamm [:geekboy or :sstamm]

Updated

•

10 years ago

Status: NEW → RESOLVED

Closed: 10 years ago

Resolution: --- → DUPLICATE

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

CSP violation report could leak sensitive information in blocked-uri

Categories

(Core :: DOM: Core & HTML, defect, P3)

Tracking

()

People

(Reporter: bsterne, Unassigned)

References

(Blocks 1 open bug,
URL
)

Details

Crash Data

Security

(public)

User Story

Description

Comment 1

Updated