Closed Bug 984808 Opened 6 years ago Closed 4 years ago

CSP warning for violations caused by JavaScript does not show in devtools


(Core :: DOM: Security, defect, P3)






(Reporter: freddyb, Assigned: geekboy)


(Blocks 1 open bug)



(1 file)

Attached file simple.php
This reproduces in Nightly (2014-03-18) but not in Aurora.

1) Go to a simple CSP website, with inline script disabled (example attached)
2) Open DevTools
3) Use the following code sample:
> document.body.insertAdjacentHTML("afterend", "<img src=x onerror=alert(1)>")

In Aurora: 
> Content Security Policy: The page's settings blocked the loading of a resource: An attempt to execute inline scripts has been blocked
In Nightly: No message shows in the console, but it *does* show in the Browser Console.

I don't think this change is intended, is it.
This is similar to, and possibly a dupe of, bug 970790. Interesting that you have a regression range between Aurora and Nightly; that should help us pin it down.
My observation:

As noted in the reference bug above and freddy's report, this seems to be (what I called) probabilistic count. To make things worse for us, I observed strange behavior of the console logging.
This happens in release, beta, aurora and nightly.


Quit firefox, open firefox:

Case 1:   follow freddy's instruction

Observation 1: Sometimes the message shows up, sometimes it doesn't. This is known to us. See screenshot 1 and 2.

Observation 2: Sometimes the message count doesn't add up. See screenshot 3.

Case 2: have the web console opened before loading the page

Observation 1: We expect to see the message appear all the time. It does. 

Observation 2: As I continue to test, I notice the count doesn't match up anymore. See screenshot 4. I asked more than two injections but the count stopped. This happens sometimes. 

Note freddy's code already have a violation so I thought maybe the message is logged internally. But removing that violating from the php I can still reproduce the observations above.

What happen when the console is not open? Where does the log messages get send to? Do we send to null? Does it keep a state?
Opps. The 4th screenshot is flaw. But I have a better example. In the release version of Firefox, I have the best illustration. Opened the dev tool before loading page, see 1st time the message didn't appear, the 2nd time it appeared, then the count stopped.

Blocks: CSP
Component: Security → DOM: Security
See Also: → 1024562
Sid: is this still a problem?
Flags: needinfo?(sstamm)
Yep.  In nightly I can reproduce it.  CSP errors show up in the console, but when you copy/paste this code into the console:

> document.body.insertAdjacentHTML("afterend", "<img src=x onerror=alert(1)>")

errors only show up in the browser console (not in the web console).
Assignee: nobody → sstamm
Flags: needinfo?(sstamm)
Chris: is this a duplicate of bug 970790?
Priority: -- → P3
Chris: is this a duplicate of bug 970790?
Flags: needinfo?(mozilla)
(In reply to Sid Stamm [:geekboy or :sstamm] from comment #7)
> Chris: is this a duplicate of bug 970790?

This is in fact a duplicate. Boris summarizes the problem caused by the windowID in detail, see:

Marking this one as a duplicate.
Closed: 4 years ago
Flags: needinfo?(mozilla)
Resolution: --- → DUPLICATE
Duplicate of bug: 970790
You need to log in before you can comment on or make changes to this bug.