Open
Bug 913596
Opened 11 years ago
Updated 2 years ago
CSP violation reports do not authenticate with NTLM
Categories
(Core :: DOM: Security, defect, P4)
Tracking
()
UNCONFIRMED
People
(Reporter: kirk.haines, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-backlog])
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.66 Safari/537.36 Steps to reproduce: Press Cmd+N to open a new browser window, then type localhost in the address bar and press Enter. This site uses NTLM v2 authentication and is listed in the network.automatic-ntlm-auth.trusted-uris preference. It also responds with the following header: Content-Security-Policy: sandbox allow-scripts allow-same-origin allow-popups;default-src 'self';script-src 'self' 'unsafe-inline';style-src 'self' 'unsafe-inline';report-uri /svc/ComplainCSP For testing, this page executes JavaScript which calls eval, a violation of the CSP. Actual results: A request is sent to /svc/ComplainCSP which receives the following response: HTTP/1.1 401 Unauthorized Date: Fri, 06 Sep 2013 17:44:14 GMT Server: Apache/2.2.22 (Win32) mod_jk/1.2.37 mod_ssl/2.2.22 OpenSSL/0.9.8t X-Frame-Options: DENY Set-Cookie: JSESSIONID=C230E2C862B425FCABE598B6425B5406; Path=/svc WWW-Authenticate: NTLM Content-Length: 0 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/plain Proxy-Support: Session-Based-Authentication No further requests are made to authenticate with NTLM. Expected results: After the request/response listed in actual results, two additional request/responses should have been sent to authenticate with NTLM: A request with an Authorization header sending an NTLM appropriate server challenge. A response of HTTP status 401 and an NTLM appropriate WWW-Authenticate header. A request with an NTLM appropriate Authorization header. A response of HTTP status 200.
Comment 1•8 years ago
|
||
Puh, this bug was filed a long time ago - reclassifying as backlog for now.
Component: Security → DOM: Security
Whiteboard: [domsecurity-backlog]
Updated•8 years ago
|
Priority: -- → P4
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•