Content-Security-Policy: report-uri directive doesn't work

RESOLVED INVALID

Status

()

Core
Security
RESOLVED INVALID
6 years ago
5 years ago

People

(Reporter: Taras, Unassigned)

Tracking

(Blocks: 1 bug)

17 Branch
x86_64
Linux
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20100101 Firefox/17.0
Build ID: 20121128204232

Steps to reproduce:

1. Specify Content-Security-Policy with HTTP header:

  X-Content-Security-Policy:script-src 'self' http://example.com;report-uri http://localhost/csp/report.php

2. Navigate to URL: http://localhost/csp/test.php?foo=bar%3Cscript%20src=%22http://ha.ckers.org/xss.js%22%3E%3C/script%3E


Actual results:

URL which specified in report-uri directive is not requested (you can see it e.g. if you write some log data in this script). In same this case works well (POST request is sended to report-uri) in Chromium (Version 22.0.1229.94 Debian wheezy/sid (161065)
).


Expected results:

report-uri should be requested as expected in https://developer.mozilla.org/en-US/docs/Security/CSP/Using_CSP_violation_reports
(Reporter)

Updated

6 years ago
Component: Untriaged → Security

Comment 1

6 years ago
Tested with a variety of rules on Nightly (21.0a1) and observed the same defective behaviour.

Tried:

script-src 'self' http://example.com; report-uri /report.php
script-src 'self' http://example.com; report-uri http://localhost/report.php
allow *; report-uri http://localhost/report.php
allow *; report-uri /report.php

Test cases on MXR here: http://mxr.mozilla.org/mozilla-central/source/content/base/test/unit/test_csputils.js#685

Comment 2

6 years ago
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130124 Firefox/21.0
Build ID: 20130124054158
(Reporter)

Comment 3

5 years ago
Still not fixed in Mozilla/5.0 (X11; Linux x86_64; rv:19.0) Gecko/20100101 Firefox/19.0 :( Do you need additional information?

Updated

5 years ago
Blocks: 663566
Component: Security → Security
Product: Firefox → Core
Sid is this fixed now?
Flags: needinfo?(sstamm)
Created attachment 765483 [details]
test script
Flags: needinfo?(sstamm)
Pretty sure our reporting mechanism is working as intended.

(In reply to Danny Moules from comment #1)
> script-src 'self' http://example.com; report-uri /report.php
> script-src 'self' http://example.com; report-uri http://localhost/report.php

With the X- header, both of these are invalid policies and are rolled back to "default-src 'none'".  There's no report URI allowed since the whole header is disregarded.  No reports means this is working as advertised.

> allow *; report-uri http://localhost/report.php
> allow *; report-uri /report.php

Tested both of these in 22.0a1 and they both generated the right report posts (with an attempt to execute inline script).

Resolving this bug invalid since the X- policies don't have default-src or allow directives and are thus failed closed to "default-src 'none'" and I can't reproduce the lack of report problem with the last two test cases.

Please file a new bug if you have the same problems with the CSP 1.0 policies (Using Content-Security-Policy header without the X-).
Status: UNCONFIRMED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.