Closed Bug 820719 Opened 10 years ago Closed 10 years ago

Content-Security-Policy: report-uri directive doesn't work


(Core :: Security, defect)

17 Branch
Not set





(Reporter: oxdef, Unassigned)


(Blocks 1 open bug)



(1 file)

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20100101 Firefox/17.0
Build ID: 20121128204232

Steps to reproduce:

1. Specify Content-Security-Policy with HTTP header:

  X-Content-Security-Policy:script-src 'self';report-uri http://localhost/csp/report.php

2. Navigate to URL: http://localhost/csp/test.php?foo=bar%3Cscript%20src=%22

Actual results:

URL which specified in report-uri directive is not requested (you can see it e.g. if you write some log data in this script). In same this case works well (POST request is sended to report-uri) in Chromium (Version 22.0.1229.94 Debian wheezy/sid (161065)

Expected results:

report-uri should be requested as expected in
Component: Untriaged → Security
Tested with a variety of rules on Nightly (21.0a1) and observed the same defective behaviour.


script-src 'self'; report-uri /report.php
script-src 'self'; report-uri http://localhost/report.php
allow *; report-uri http://localhost/report.php
allow *; report-uri /report.php

Test cases on MXR here:
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130124 Firefox/21.0
Build ID: 20130124054158
Still not fixed in Mozilla/5.0 (X11; Linux x86_64; rv:19.0) Gecko/20100101 Firefox/19.0 :( Do you need additional information?
Blocks: csp-w3c-1.0
Product: Firefox → Core
Sid is this fixed now?
Flags: needinfo?(sstamm)
Attached file test script
Flags: needinfo?(sstamm)
Pretty sure our reporting mechanism is working as intended.

(In reply to Danny Moules from comment #1)
> script-src 'self'; report-uri /report.php
> script-src 'self'; report-uri http://localhost/report.php

With the X- header, both of these are invalid policies and are rolled back to "default-src 'none'".  There's no report URI allowed since the whole header is disregarded.  No reports means this is working as advertised.

> allow *; report-uri http://localhost/report.php
> allow *; report-uri /report.php

Tested both of these in 22.0a1 and they both generated the right report posts (with an attempt to execute inline script).

Resolving this bug invalid since the X- policies don't have default-src or allow directives and are thus failed closed to "default-src 'none'" and I can't reproduce the lack of report problem with the last two test cases.

Please file a new bug if you have the same problems with the CSP 1.0 policies (Using Content-Security-Policy header without the X-).
Closed: 10 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.