CSP WARN: can't use report URI from non-matching eTLD+1: cspbuilder.info

RESOLVED DUPLICATE of bug 843311

Status

()

Core
Security
RESOLVED DUPLICATE of bug 843311
5 years ago
4 years ago

People

(Reporter: Pawel Krawczyk, Unassigned)

Tracking

20 Branch
x86
Windows XP
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

5 years ago
User Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.97 Safari/537.22

Steps to reproduce:

Go to http://webcookies.info/ which sets the following CSP:

X-Content-Security-Policy-Report-Only:Content-Security-Policy-Report-Only: default-src 'none'; script-src 'none'; style-src 'none'; img-src 'none'; connect-src 'none'; font-src 'none'; object-src 'none'; media-src 'none'; frame-src 'none'; sandbox; report-uri http://cspbuilder.info/report/5657266136855547870/


Actual results:

Firefox displayed the following warning in console:

CSP WARN:  can't use report URI from non-matching eTLD+1: cspbuilder.info



Expected results:

Firefox should send report to indicated page. CSP proposed standard (http://www.w3.org/TR/CSP/) does not require that the reports as only sent to the same TLD and it doesn't really add much security, as reports do not contain any sensitive information. On the other hand, blocking reports sent to 3rd party makes any CSP-related service (policy refinement or log processing) impossible.

Updated

5 years ago
Component: Untriaged → Security
Product: Firefox → Core
The X- version of the header predates the standard -- please stop using it (it will be removed in a future version of Firefox). The report destination restrictions also predate the standard and came from a time when reports did, in fact, have sensitive information.

The standard removed information from the report as well as specified that reports should not have any destination restrictions, and more recent versions of firefox implement that standard if you are using the standard Content-Security-Policy header.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 843311
You need to log in before you can comment on or make changes to this bug.