Closed Bug 1230528 Opened 9 years ago Closed 2 years ago

CSP: Return 'inline' or 'eval' when `'unsafe-inline'` or `'unsafe-eval'` are violated.

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Type:
defect

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: mkwst, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog])

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.73 Safari/537.36 Steps to reproduce: I visited a page whose Content Security Policy did not include `unsafe-inline`, but did include inline script. Actual results: The violation report's `blocked-uri` field was an empty string. Expected results: The (very new) https://w3c.github.io/webappsec-csp/#violation-resource defines a violation's resource as either a URL, or the string "inline" or "eval". The latter two are returned instead of an empty string when a violation occurs because of a mismatch with `unsafe-inline` or `unsafe-eval`. Ideally, the `blocked-uri` in the report would have contained one of those strings.
Summary: CS: Return 'inline' or 'eval' when `'unsafe-inline'` or `'unsafe-eval'` are violated. → CSP: Return 'inline' or 'eval' when `'unsafe-inline'` or `'unsafe-eval'` are violated.
Chrome has implemented this behavior in https://codereview.chromium.org/1486993002. Ms2ger assures me that your diff tools are better, but hopefully you can parse something useful out of that patch. :)
Status: UNCONFIRMED → NEW
Component: Untriaged → DOM: Security
Ever confirmed: true
Product: Firefox → Core
Blocks: csp-w3c-3
Whiteboard: [domsecurity-backlog]
Severity: normal → S3

I believe this has been fixed in the meantime. https://searchfox.org/mozilla-central/rev/3c194fa1d6f339036d2ec9516bd310c6ad612859/dom/security/nsCSPContext.cpp#103

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → WONTFIX
Resolution: WONTFIX → FIXED
You need to log in before you can comment on or make changes to this bug.