Closed
Bug 984808
Opened 10 years ago
Closed 9 years ago
CSP warning for violations caused by JavaScript does not show in devtools
Categories
(Core :: DOM: Security, defect, P3)
Tracking
()
RESOLVED
DUPLICATE
of bug 970790
People
(Reporter: freddy, Assigned: geekboy)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
263 bytes,
application/x-php
|
Details |
This reproduces in Nightly (2014-03-18) but not in Aurora. STR: 1) Go to a simple CSP website, with inline script disabled (example attached) 2) Open DevTools 3) Use the following code sample: > document.body.insertAdjacentHTML("afterend", "<img src=x onerror=alert(1)>") In Aurora: > Content Security Policy: The page's settings blocked the loading of a resource: An attempt to execute inline scripts has been blocked In Nightly: No message shows in the console, but it *does* show in the Browser Console. I don't think this change is intended, is it.
Comment 1•10 years ago
|
||
This is similar to, and possibly a dupe of, bug 970790. Interesting that you have a regression range between Aurora and Nightly; that should help us pin it down.
Comment 2•10 years ago
|
||
My observation: As noted in the reference bug above and freddy's report, this seems to be (what I called) probabilistic count. To make things worse for us, I observed strange behavior of the console logging. This happens in release, beta, aurora and nightly. Screenshots: http://imgur.com/nypD6rQ,n1WMdrs,wAhwOnd,02pJ3yN#0 Quit firefox, open firefox: Case 1: follow freddy's instruction Observation 1: Sometimes the message shows up, sometimes it doesn't. This is known to us. See screenshot 1 and 2. Observation 2: Sometimes the message count doesn't add up. See screenshot 3. Case 2: have the web console opened before loading the page Observation 1: We expect to see the message appear all the time. It does. Observation 2: As I continue to test, I notice the count doesn't match up anymore. See screenshot 4. I asked more than two injections but the count stopped. This happens sometimes. Note freddy's code already have a violation so I thought maybe the message is logged internally. But removing that violating from the php I can still reproduce the observations above. What happen when the console is not open? Where does the log messages get send to? Do we send to null? Does it keep a state?
Comment 3•10 years ago
|
||
Opps. The 4th screenshot is flaw. But I have a better example. In the release version of Firefox, I have the best illustration. Opened the dev tool before loading page, see 1st time the message didn't appear, the 2nd time it appeared, then the count stopped. screenshot: http://i.imgur.com/w4Xihww.png
Assignee | ||
Comment 5•9 years ago
|
||
Yep. In nightly I can reproduce it. CSP errors show up in the console, but when you copy/paste this code into the console:
> document.body.insertAdjacentHTML("afterend", "<img src=x onerror=alert(1)>")
errors only show up in the browser console (not in the web console).
Assignee: nobody → sstamm
Flags: needinfo?(sstamm)
Comment 8•9 years ago
|
||
(In reply to Sid Stamm [:geekboy or :sstamm] from comment #7) > Chris: is this a duplicate of bug 970790? This is in fact a duplicate. Boris summarizes the problem caused by the windowID in detail, see: > https://bugzilla.mozilla.org/show_bug.cgi?id=970790#c14 Marking this one as a duplicate.
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(mozilla)
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•