913596 - CSP violation reports do not authenticate with NTLM

Status: UNCONFIRMED

(Core :: DOM: Security, defect, P4)

Description

[Kirk Haines]

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.66 Safari/537.36

Steps to reproduce:

Press Cmd+N to open a new browser window, then type localhost in the address bar and press Enter.
This site uses NTLM v2 authentication and is listed in the network.automatic-ntlm-auth.trusted-uris preference.  It also responds with the following header:
Content-Security-Policy: sandbox allow-scripts allow-same-origin allow-popups;default-src 'self';script-src 'self' 'unsafe-inline';style-src 'self' 'unsafe-inline';report-uri /svc/ComplainCSP
For testing, this page executes JavaScript which calls eval, a violation of the CSP.


Actual results:

A request is sent to /svc/ComplainCSP which receives the following response:
HTTP/1.1 401 Unauthorized
Date: Fri, 06 Sep 2013 17:44:14 GMT
Server: Apache/2.2.22 (Win32) mod_jk/1.2.37 mod_ssl/2.2.22 OpenSSL/0.9.8t
X-Frame-Options: DENY
Set-Cookie: JSESSIONID=C230E2C862B425FCABE598B6425B5406; Path=/svc
WWW-Authenticate: NTLM
Content-Length: 0
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/plain
Proxy-Support: Session-Based-Authentication

No further requests are made to authenticate with NTLM.


Expected results:

After the request/response listed in actual results, two additional request/responses should have been sent to authenticate with NTLM:
A request with an Authorization header sending an NTLM appropriate server challenge.
A response of HTTP status 401 and an NTLM appropriate WWW-Authenticate header.
A request with an NTLM appropriate Authorization header.
A response of HTTP status 200.

Comment 1

[Christoph Kerschbaumer [:ckerschb]]

Puh, this bug was filed a long time ago - reclassifying as backlog for now.