Closed Bug 820719 Opened 12 years ago Closed 11 years ago

Content-Security-Policy: report-uri directive doesn't work

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Version:
17 Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: oxdef, Unassigned)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

test script
196 bytes, text/php
Details 
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20100101 Firefox/17.0
Build ID: 20121128204232

Steps to reproduce:

1. Specify Content-Security-Policy with HTTP header:

  X-Content-Security-Policy:script-src 'self' http://example.com;report-uri http://localhost/csp/report.php

2. Navigate to URL: http://localhost/csp/test.php?foo=bar%3Cscript%20src=%22http://ha.ckers.org/xss.js%22%3E%3C/script%3E


Actual results:

URL which specified in report-uri directive is not requested (you can see it e.g. if you write some log data in this script). In same this case works well (POST request is sended to report-uri) in Chromium (Version 22.0.1229.94 Debian wheezy/sid (161065)
).


Expected results:

report-uri should be requested as expected in https://developer.mozilla.org/en-US/docs/Security/CSP/Using_CSP_violation_reports
Component: Untriaged → Security
Tested with a variety of rules on Nightly (21.0a1) and observed the same defective behaviour.

Tried:

script-src 'self' http://example.com; report-uri /report.php
script-src 'self' http://example.com; report-uri http://localhost/report.php
allow *; report-uri http://localhost/report.php
allow *; report-uri /report.php

Test cases on MXR here: http://mxr.mozilla.org/mozilla-central/source/content/base/test/unit/test_csputils.js#685
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130124 Firefox/21.0
Build ID: 20130124054158
Still not fixed in Mozilla/5.0 (X11; Linux x86_64; rv:19.0) Gecko/20100101 Firefox/19.0 :( Do you need additional information?
Blocks: csp-w3c-1.0
Product: Firefox → Core
Sid is this fixed now?
Flags: needinfo?(sstamm)
Attached file test script 
Flags: needinfo?(sstamm)

    
    

    
  
Pretty sure our reporting mechanism is working as intended.

(In reply to Danny Moules from comment #1)
> script-src 'self' http://example.com; report-uri /report.php
> script-src 'self' http://example.com; report-uri http://localhost/report.php

With the X- header, both of these are invalid policies and are rolled back to "default-src 'none'".  There's no report URI allowed since the whole header is disregarded.  No reports means this is working as advertised.

> allow *; report-uri http://localhost/report.php
> allow *; report-uri /report.php

Tested both of these in 22.0a1 and they both generated the right report posts (with an attempt to execute inline script).

Resolving this bug invalid since the X- policies don't have default-src or allow directives and are thus failed closed to "default-src 'none'" and I can't reproduce the lack of report problem with the last two test cases.

Please file a new bug if you have the same problems with the CSP 1.0 policies (Using Content-Security-Policy header without the X-).
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → INVALID

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: