886943 - CSP violation reports are non-conformant for script/eval

Status: RESOLVED WORKSFORME

(Core :: Security, defect)

Description

[Brad Hill]

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20130625 Firefox/25.0 (Nightly/Aurora)
Build ID: 20130625031238

Steps to reproduce:

Conformance test cases for Content Security Policy that exercise the functionality to block inline script and eval are available at:

http://webappsec-test.info/web-platform-tests/CSP/script-src/CSP_1_1.php
http://webappsec-test.info/web-platform-tests/CSP/script-src/CSP_1_4_1.php


Actual results:

When script is blocked, Firefox sets the 'violated-directive' value in the report JSON as either:

"inline script base restriction" 
or
"eval script base restriction"


Expected results:

'violated-directive' should be set to the directive from the policy that caused the violation, e.g.:

'script-src http://webappsec-test.info:80/'
or
'script-src unsafe-inline'

etc.  The format FF is sending for these violation types is not specified by either https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#reporting or http://www.w3.org/TR/CSP/#report-uri and will make it difficult for servers to process CSP reports in a uniform way.

Comment 1

[Sid Stamm [:geekboy or :sstamm]]

This should be a pretty simple and isolated change here:
http://mxr.mozilla.org/mozilla-central/source/content/base/src/contentSecurityPolicy.js#172

Replacing the "base restriction" messages with either script-src, style-src or default-src from the instance's _policy object.

Comment 2

[Sid Stamm [:geekboy or :sstamm]]

I just re-ran the tests in comment 0 with our new implementation of CSP in Firefox 37.  Our reports conform to the expected violation report syntax.