Closed
Bug 1233260
Opened 9 years ago
Closed 2 years ago
Firefox doesn't send cookies to same-origin reporting-uri for Content Security Policy violations
Categories
(Core :: DOM: Security, defect, P3)
Tracking
()
RESOLVED
DUPLICATE
of bug 1140266
People
(Reporter: dp.maxime, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-backlog])
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:43.0) Gecko/20100101 Firefox/43.0
Build ID: 20151210084639
Steps to reproduce:
Take any page on a web-site with Content Security Policy set and add any img tag referring an image file outside permitted sources in Content Security Policy, so the browser ought to report the violation making post request to the URI specified in report-uri directive.
Actual results:
Firefox version 43 on Ubuntu 15.10 make the POST request to the URI as specified, however it doesn't send any HTTP cookie stored for the site it is trying to access. It does send such cookies for any other request to the same web site.
Expected results:
The browser must provide HTTP cookies with any request sent to a web-site, include the request made according to report-uri directive in Content Security Policy.
|
||
Updated•9 years ago
|
Component: Untriaged → Networking: Cookies
Product: Firefox → Core
|
||
Comment 1•9 years ago
|
||
steve can you help me figure out if this request is supposed to be anonymous? (and if so, close as invalid)
Flags: needinfo?(sworkman)
Whiteboard: [necko-backlog]
|
||
Comment 2•9 years ago
|
||
Thanks Pat - this sounds like expected behavior to me, i.e. avoiding leaking user cookies to a reporting system. Chris, can you confirm this and mark the bug per Pat's request?
Flags: needinfo?(sworkman) → needinfo?(ckerschbaumer)
|
||
Comment 3•9 years ago
|
||
(In reply to Steve Workman [:sworkman] (please use needinfo) from comment #2)
> Thanks Pat - this sounds like expected behavior to me, i.e. avoiding leaking
> user cookies to a reporting system. Chris, can you confirm this and mark the
> bug per Pat's request?
You are absolutely right steve, we do not want to send cookies in case the report-uri was injected. See code and comment here:
https://hg.mozilla.org/integration/mozilla-inbound/rev/fb00a01bf9f3#l1.444
Flags: needinfo?(ckerschbaumer)
|
|
||
Updated•9 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
Content Security Policy Level 2 recommendation requires blocking cookies only when reporting uri is not of the same origin, see https://www.w3.org/TR/CSP2/#send-violation-reports
With dropping cookies unconditionally you just make violation reporting for protected sites either unavailable (as the sever will not be able distinguish logged in session stored in a cookie) either becomes prone to flooding attacks on reporting uri if they decide to accept reports from any client.
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
|
||
Comment 5•7 years ago
|
||
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: -- → P1
|
|
||
Comment 6•7 years ago
|
||
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: P1 → P3
|
||
Updated•5 years ago
|
Component: Networking: Cookies → DOM: Security
|
||
Updated•5 years ago
|
Blocks: csp-w3c-3
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: Firefox doesn't send cookies when accessing page specified in report-uri directive of Content Security Policy → Firefox doesn't send cookies to same-origin reporting-uri for Content Security Policy violations
Whiteboard: [necko-backlog] → [domsecurity-backlog]
|
|
||
Comment 7•5 years ago
|
||
The CSP3 spec says that reports should use credential-mode "same-origin"
|
|
||
Updated•2 years ago
|
Status: NEW → RESOLVED
Closed: 9 years ago → 2 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•