Send any existing site Cookies and/or HTTP Auth headers with CSP violation reports

RESOLVED FIXED

Status

()

Core
DOM: Core & HTML
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: bsterne, Assigned: bsterne)

Tracking

(Blocks: 1 bug)

Trunk
Points:
---

Firefox Tracking Flags

(firefox6 wontfix, firefox7 fixed, firefox8 fixed, firefox9 fixed)

Details

(Whiteboard: [qa-])

Attachments

(1 attachment)

(Assignee)

Description

6 years ago
Since we removed the request-headers field from the violation reports in bug 664983, sites no longer have a reliable way of identifying the user that experienced the violation.  We should send Cookies and Authorization headers, if they exist in the browser for the site in question, with the report request.  I verified with Adam Barth that this is what the WebKit implementation does.

This should also fix bug 658979.
(Assignee)

Updated

6 years ago
Blocks: 658979
(Assignee)

Comment 1

6 years ago
Created attachment 553955 [details] [diff] [review]
Fix - remove LOAD_ANONYMOUS
Assignee: nobody → bsterne
Attachment #553955 - Flags: review?(dveditz)
Comment on attachment 553955 [details] [diff] [review]
Fix - remove LOAD_ANONYMOUS

r=dveditz

since fixing bug 664983 we found a couple popular sites who were working towards a CSP deployment who now can't tell what the violating content was without knowing the user who had the violation. They were pulling cookies out of the response headers we killed and they still need that information.

Firefox 6 is a loss for those folks and they now can't deploy, but we have a chance to take this safe fix and make Firefox 7 usable for them.
Attachment #553955 - Flags: review?(dveditz)
Attachment #553955 - Flags: review+
Attachment #553955 - Flags: approval-mozilla-beta?
Attachment #553955 - Flags: approval-mozilla-aurora?

Comment 3

6 years ago
Comment on attachment 553955 [details] [diff] [review]
Fix - remove LOAD_ANONYMOUS

Approved for beta and aurora.
Attachment #553955 - Flags: approval-mozilla-beta?
Attachment #553955 - Flags: approval-mozilla-beta+
Attachment #553955 - Flags: approval-mozilla-aurora?
Attachment #553955 - Flags: approval-mozilla-aurora+
(Assignee)

Comment 4

6 years ago
mozilla-central merge:
http://hg.mozilla.org/mozilla-central/rev/b354d9b3e9e1
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
(Assignee)

Comment 5

6 years ago
mozilla-aurora merge:
http://hg.mozilla.org/releases/mozilla-aurora/rev/a2533f29b2d6

mozilla-beta merge:
http://hg.mozilla.org/releases/mozilla-beta/rev/39f898b72ee2
status-firefox6: --- → wontfix
status-firefox7: --- → fixed
status-firefox8: --- → fixed
status-firefox9: --- → fixed

Comment 6

6 years ago
Can anyone please help me with some guidelines or STR I can use to verify this fix?

Thank you
(Assignee)

Comment 7

6 years ago
(In reply to Ioana Budnar [QA] from comment #6)
> Can anyone please help me with some guidelines or STR I can use to verify
> this fix?

Create a web page that:
  1. sends Set-Cookie
  2. sends a Content Security Policy with a report-uri
  3. contains a policy violation

Verify that the report request contains the cookie you set in 1.
qa- based on comment 7. If someone can provide a testcase to test this bug fix please do so.
Whiteboard: [qa-]
You need to log in before you can comment on or make changes to this bug.