CSP WARN: Couldn't process unknown directive 'Content-Security-Policy-Report-Only:'

RESOLVED INVALID

Status

()

Core
Security
RESOLVED INVALID
5 years ago
5 years ago

People

(Reporter: Pawel Krawczyk, Unassigned)

Tracking

(Blocks: 1 bug)

20 Branch
x86
Windows XP
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

5 years ago
User Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.97 Safari/537.22

Steps to reproduce:

Entered page with CSP specified in report-only mode using Content-Security-Policy-Report-Only keyword.



Actual results:

Firefox reported the following error in console:

CSP WARN:  Couldn't process unknown directive 'Content-Security-Policy-Report-Only:'



Expected results:

Firefox should report CSP violations, but not actually enforce CPS, as per http://www.w3.org/TR/CSP/#content-security-policy-report-only-header-field
(Reporter)

Comment 1

5 years ago
Full policy on my test page (http://webcookies.info/):

Content-Security-Policy-Report-Only:Content-Security-Policy-Report-Only: default-src 'none'; script-src 'none'; style-src 'none'; img-src 'none'; connect-src 'none'; font-src 'none'; object-src 'none'; media-src 'none'; frame-src 'none'; sandbox; report-uri http://cspbuilder.info/report/5657266136855547870/

Updated

5 years ago
Blocks: 493857
Component: Untriaged → DOM: Core & HTML
Product: Firefox → Core
The string in comment 1 is not a valid policy directive, so we warn about the fact that it's broken and move on.

Aleksej, this isn't a DOM bug for what it's worth...
Status: UNCONFIRMED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → INVALID

Comment 3

5 years ago
> Aleksej, this isn't a DOM bug for what it's worth...

OK; I’ve seen one or two CSP tickets apparently related to the specification in that component.
You are using the CSP1.0 format that won't be supported till Firefox 22 (https://bugzilla.mozilla.org/show_bug.cgi?id=746978#c80). You can add 'eval-script' and 'inline-script' to get it to work on older versions.

Other than that, the error you showed is due to the repeated "X-Content-Security-Policy-Report-Only" in the header as well as value. It is not present in the test page anymore, so I assume you fixed it. Other than the unsafe-* directives, Firefox seems to be processing the header fine and I get warnings on my console. Keeping invalid.

Also, fwiw, I don't think Firefox supports report only mode for eval. And inline scripts reporting is not very useful, since it doesn't tell you much about the script iirc. imelven might know the status of these things.

Comment 5

5 years ago
(In reply to Devdatta Akhawe [:devd] from comment #4)
> You are using the CSP1.0 format that won't be supported till Firefox 22
> (https://bugzilla.mozilla.org/show_bug.cgi?id=746978#c80). 

Note the 'hope to' in that comment, bug 842657 is the one you want to watch there (flip the pref to turn on the new parser)
 
> Also, fwiw, I don't think Firefox supports report only mode for eval. And
> inline scripts reporting is not very useful, since it doesn't tell you much
> about the script iirc. imelven might know the status of these things.

This is bug 687086 which seems fairly well along.

Comment 6

5 years ago
(In reply to Boris Zbarsky (:bz) from comment #2)
>
> Aleksej, this isn't a DOM bug for what it's worth...

the CSP bugs are all Core|DOM: Core & HTML - for future reference, should we be using Core|Security instead ?
Probably... it's not really a DOM thing per se.

Updated

5 years ago
Component: DOM: Core & HTML → Security
You need to log in before you can comment on or make changes to this bug.