CSP is sending violation reports over HTTP

RESOLVED INVALID

Status

defect
RESOLVED INVALID
7 years ago
7 years ago

People

(Reporter: cjones, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

See bug 782542 comment 90.

In addition to this breaking our network security model (delicious irony!), it will bill users on cellular data for errors in web apps.  No thank you :).
blocking-basecamp: --- → ?
cjones: to what URL is CSP trying to send the reports?  It's not clear what CSP is applied from your laughter comment in bug 782542 (and I'm not sure I follow what's going on in that bug, though admit I haven't read the whole thing).

Our default app policy shouldn't cause policies to get sent, though any errors would trigger the _asyncReportViolation() to execute -- it may *try* to send reports to an empty list of destinations.  (Report URIs are required to be same-scheme and same ETLD+1, see http://mxr.mozilla.org/mozilla-central/source/content/base/src/CSPUtils.jsm#317)

Can you dig into the test case and pull out the CSP that's applied to the app and where it's trying to send reports?
Flags: needinfo?(jones.chris.g)
I don't know the exact URL, but I agree with you that it's the Marketplace's CSP that's causing the report to be sent.  I think that's probably fine since web pages cause gecko to generate network traffic by definition.

The laughter wasn't directed at CSP itself, just the irony of the CSP report breaking our big OS network security patch ;).
Flags: needinfo?(jones.chris.g)
This isn't gecko-controlled network traffic, but content-controlled.
Status: NEW → RESOLVED
blocking-basecamp: ? → ---
Closed: 7 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.