Last Comment Bug 679772 - Send any existing site Cookies and/or HTTP Auth headers with CSP violation reports
: Send any existing site Cookies and/or HTTP Auth headers with CSP violation re...
Status: RESOLVED FIXED
[qa-]
:
Product: Core
Classification: Components
Component: DOM: Core & HTML (show other bugs)
: Trunk
: All All
: -- normal (vote)
: ---
Assigned To: Brandon Sterne (:bsterne)
:
Mentors:
Depends on:
Blocks: 658979
  Show dependency treegraph
 
Reported: 2011-08-17 10:18 PDT by Brandon Sterne (:bsterne)
Modified: 2011-09-22 16:50 PDT (History)
4 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
wontfix
fixed
fixed
fixed


Attachments
Fix - remove LOAD_ANONYMOUS (771 bytes, patch)
2011-08-17 16:39 PDT, Brandon Sterne (:bsterne)
dveditz: review+
christian: approval‑mozilla‑aurora+
christian: approval‑mozilla‑beta+
Details | Diff | Review

Description Brandon Sterne (:bsterne) 2011-08-17 10:18:25 PDT
Since we removed the request-headers field from the violation reports in bug 664983, sites no longer have a reliable way of identifying the user that experienced the violation.  We should send Cookies and Authorization headers, if they exist in the browser for the site in question, with the report request.  I verified with Adam Barth that this is what the WebKit implementation does.

This should also fix bug 658979.
Comment 1 Brandon Sterne (:bsterne) 2011-08-17 16:39:52 PDT
Created attachment 553955 [details] [diff] [review]
Fix - remove LOAD_ANONYMOUS
Comment 2 Daniel Veditz [:dveditz] 2011-08-22 11:14:09 PDT
Comment on attachment 553955 [details] [diff] [review]
Fix - remove LOAD_ANONYMOUS

r=dveditz

since fixing bug 664983 we found a couple popular sites who were working towards a CSP deployment who now can't tell what the violating content was without knowing the user who had the violation. They were pulling cookies out of the response headers we killed and they still need that information.

Firefox 6 is a loss for those folks and they now can't deploy, but we have a chance to take this safe fix and make Firefox 7 usable for them.
Comment 3 christian 2011-08-22 15:04:57 PDT
Comment on attachment 553955 [details] [diff] [review]
Fix - remove LOAD_ANONYMOUS

Approved for beta and aurora.
Comment 4 Brandon Sterne (:bsterne) 2011-08-24 09:55:48 PDT
mozilla-central merge:
http://hg.mozilla.org/mozilla-central/rev/b354d9b3e9e1
Comment 5 Brandon Sterne (:bsterne) 2011-08-26 11:27:55 PDT
mozilla-aurora merge:
http://hg.mozilla.org/releases/mozilla-aurora/rev/a2533f29b2d6

mozilla-beta merge:
http://hg.mozilla.org/releases/mozilla-beta/rev/39f898b72ee2
Comment 6 Ioana (away) 2011-08-29 07:36:45 PDT
Can anyone please help me with some guidelines or STR I can use to verify this fix?

Thank you
Comment 7 Brandon Sterne (:bsterne) 2011-08-29 15:01:14 PDT
(In reply to Ioana Budnar [QA] from comment #6)
> Can anyone please help me with some guidelines or STR I can use to verify
> this fix?

Create a web page that:
  1. sends Set-Cookie
  2. sends a Content Security Policy with a report-uri
  3. contains a policy violation

Verify that the report request contains the cookie you set in 1.
Comment 8 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2011-09-22 16:50:00 PDT
qa- based on comment 7. If someone can provide a testcase to test this bug fix please do so.

Note You need to log in before you can comment on or make changes to this bug.