Closed Bug 984808 Opened 12 years ago Closed 10 years ago

CSP warning for violations caused by JavaScript does not show in devtools

Categories

(Core :: DOM: Security, defect, P3)

Product:
Core
Component:
DOM: Security
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 970790

People

(Reporter: freddy, Assigned: geekboy)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

simple.php
263 bytes, application/x-php
Details
Attached file simple.php
This reproduces in Nightly (2014-03-18) but not in Aurora. STR: 1) Go to a simple CSP website, with inline script disabled (example attached) 2) Open DevTools 3) Use the following code sample: > document.body.insertAdjacentHTML("afterend", "<img src=x onerror=alert(1)>") In Aurora: > Content Security Policy: The page's settings blocked the loading of a resource: An attempt to execute inline scripts has been blocked In Nightly: No message shows in the console, but it *does* show in the Browser Console. I don't think this change is intended, is it.
This is similar to, and possibly a dupe of, bug 970790. Interesting that you have a regression range between Aurora and Nightly; that should help us pin it down.
My observation: As noted in the reference bug above and freddy's report, this seems to be (what I called) probabilistic count. To make things worse for us, I observed strange behavior of the console logging. This happens in release, beta, aurora and nightly. Screenshots: http://imgur.com/nypD6rQ,n1WMdrs,wAhwOnd,02pJ3yN#0 Quit firefox, open firefox: Case 1: follow freddy's instruction Observation 1: Sometimes the message shows up, sometimes it doesn't. This is known to us. See screenshot 1 and 2. Observation 2: Sometimes the message count doesn't add up. See screenshot 3. Case 2: have the web console opened before loading the page Observation 1: We expect to see the message appear all the time. It does. Observation 2: As I continue to test, I notice the count doesn't match up anymore. See screenshot 4. I asked more than two injections but the count stopped. This happens sometimes. Note freddy's code already have a violation so I thought maybe the message is logged internally. But removing that violating from the php I can still reproduce the observations above. What happen when the console is not open? Where does the log messages get send to? Do we send to null? Does it keep a state?
Opps. The 4th screenshot is flaw. But I have a better example. In the release version of Firefox, I have the best illustration. Opened the dev tool before loading page, see 1st time the message didn't appear, the 2nd time it appeared, then the count stopped. screenshot: http://i.imgur.com/w4Xihww.png
Blocks: CSP
Component: Security → DOM: Security
Depends on: 970790
See Also: → 1024562
Sid: is this still a problem?
Flags: needinfo?(sstamm)
Yep. In nightly I can reproduce it. CSP errors show up in the console, but when you copy/paste this code into the console: > document.body.insertAdjacentHTML("afterend", "<img src=x onerror=alert(1)>") errors only show up in the browser console (not in the web console).
Assignee: nobody → sstamm
Flags: needinfo?(sstamm)
Chris: is this a duplicate of bug 970790?
Priority: -- → P3
Chris: is this a duplicate of bug 970790?
Flags: needinfo?(mozilla)
(In reply to Sid Stamm [:geekboy or :sstamm] from comment #7) > Chris: is this a duplicate of bug 970790? This is in fact a duplicate. Boris summarizes the problem caused by the windowID in detail, see: > https://bugzilla.mozilla.org/show_bug.cgi?id=970790#c14 Marking this one as a duplicate.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(mozilla)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: