Closed
Bug 886943
Opened 11 years ago
Closed 10 years ago
CSP violation reports are non-conformant for script/eval
Categories
(Core :: Security, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: hillbrad, Unassigned)
References
(Blocks 1 open bug)
Details
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20130625 Firefox/25.0 (Nightly/Aurora)
Build ID: 20130625031238
Steps to reproduce:
Conformance test cases for Content Security Policy that exercise the functionality to block inline script and eval are available at:
http://webappsec-test.info/web-platform-tests/CSP/script-src/CSP_1_1.php
http://webappsec-test.info/web-platform-tests/CSP/script-src/CSP_1_4_1.php
Actual results:
When script is blocked, Firefox sets the 'violated-directive' value in the report JSON as either:
"inline script base restriction"
or
"eval script base restriction"
Expected results:
'violated-directive' should be set to the directive from the policy that caused the violation, e.g.:
'script-src http://webappsec-test.info:80/'
or
'script-src unsafe-inline'
etc. The format FF is sending for these violation types is not specified by either https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#reporting or http://www.w3.org/TR/CSP/#report-uri and will make it difficult for servers to process CSP reports in a uniform way.
Updated•11 years ago
|
Component: Untriaged → Security
Product: Firefox → Core
Updated•11 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Updated•11 years ago
|
Blocks: csp-w3c-1.0
Comment 1•11 years ago
|
||
This should be a pretty simple and isolated change here:
http://mxr.mozilla.org/mozilla-central/source/content/base/src/contentSecurityPolicy.js#172
Replacing the "base restriction" messages with either script-src, style-src or default-src from the instance's _policy object.
Updated•10 years ago
|
Flags: needinfo?(sstamm)
Comment 2•10 years ago
|
||
I just re-ran the tests in comment 0 with our new implementation of CSP in Firefox 37. Our reports conform to the expected violation report syntax.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(sstamm)
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•