Open Bug 658979 Opened 13 years ago Updated 2 years ago

HTTP Auth is not working for CSP report request

Categories

(Core :: DOM: Core & HTML, defect, P5)

x86
Windows XP
defect

Tracking

()

People

(Reporter: jz-2011, Unassigned)

References

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.16) Gecko/20110302 Iceweasel/3.5.16 (like Firefox/3.5.16)
Build Identifier: Mozilla/5.0 (Windows NT 5.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1

If I am sending a CSP header (with Header set X-Content-Security-Policy-Report-Only "allow <site uris removed>; options eval-script inline-script; report-uri /perl/csp-report.pl" to a site that is protected by HTTP authentication (Digest), the browsers sends reportin requests. It does however not respond to the returned 401. 



Reproducible: Always
Not a networking issue; this is controlled by the necko consumer.

Note that CSP reports are not supposed to follow 3xx redirect per spec.  It's not clear what they should do with 401.
Component: Networking → Security
QA Contact: networking → toolkit
I also have the same issue as described in the original bug report using the current version of Firefox 5.0 and standard digest authentication.

Because the CSP Report can only go to the same site which has the policy, this means it isn't possible to use csp violation reporting on a site which uses http authentication due to this bug as far as I can tell.

I'm hoping it will be possible for the csp reporting functionality to be updated to handle the 401 code and authentication.
Depends on: 679772
This should be fixed by bug 679772.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Are the reporters satisfied that bug 679772 fixes this issue? Should be able to test in Firefox 7 (currently "Beta").
Component: Security → DOM
QA Contact: toolkit → general
https://bugzilla.mozilla.org/show_bug.cgi?id=1472046

Move all DOM bugs that haven’t been updated in more than 3 years and has no one currently assigned to P5.

If you have questions, please contact :mdaly.
Priority: -- → P5
Component: DOM → DOM: Core & HTML
Severity: minor → S4
You need to log in before you can comment on or make changes to this bug.