New issue
Advanced search Search tips

Issue 601212 link

Starred by 1 user
Status: Duplicate
Merged: issue 503730
Owner: ----
Closed: Apr 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 2
Type: Bug



Sign in to add a comment

Not all appropriate CSP reports are sent.

Reported by scott.he...@gmail.com, Apr 6 2016 
UserAgent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36

Steps to reproduce the problem:
On this page: https://scotthelme.co.uk/csp-test/
I issue the following policies:

Content-Security-Policy: img-src 'self' data: *snip domains for sanity*; report-uri https://scotthelme.report-uri.io/r/default/csp/enforce

Content-Security-Policy-Report-Only: img-src 'self' data: *snip domains for sanity*; report-uri https://scotthelme.report-uri.io/r/default/csp/reportOnly

The page intentionally loads the following offending asset using the ftp scheme which is not permitted:
<img src="ftp://example.com/profile.png">

I get a CSP report from the enforced policy but *not* from the report-only policy. The policies do differ and Firefox does send a report for each policy for the particular asset. There are also other reports not sent for the same page.

What is the expected behavior?
A report should be sent for the enforced policy and the report-only policy.

What went wrong?
There was no report sent for the report-only policy.

Did this work before? N/A 

Chrome version: 49.0.2623.110  Channel: stable
OS Version: 10.0
Flash Version: Shockwave Flash 21.0 r0

Is this chrome intentionally not sending duplicate reports or a bug?
chrome.png
183 KB View Download
firefox.png
85.9 KB View Download

Comment 1 by scott.he...@gmail.com, Apr 6 2016 

Actually, the report payloads should be different because the report-uri directive is different. There is also 1 source difference between the 2 headers. This appears to be a bug.

Comment 2 by ssamanoori@chromium.org, Apr 7 2016

Components: Blink>CSP
Labels: -Type-Bug-Regression OS-Linux OS-Mac Type-Bug
Status: Untriaged (was: Unconfirmed)
Able to reproduce the issue on Windows 7, Mac 10.10.5, Ubuntu 14.04 using 49.0.2623.110, canary 51.0.2701.0 with below steps:

1.Opened URL: https://scotthelme.co.uk/csp-test/
2.Opened dev tools->console
3.Observed the error 'Refused to load the image'.

This is non regression issue seen from M-30(30.0.1549.0).Hence, marking it as untriaged.
Could anyone from dev team look into this issue please.

Comment 3 by est...@chromium.org, Apr 7 2016

Components: -Blink>CSP Blink>SecurityFeature

Comment 4 by est...@chromium.org, Apr 7 2016 

Hang on, how is this different from  issue 503730 ? I reproduced the behavior in a test, but to me it looks the request is being blocked by the enforced policy, so it's never checked against the report-only policy, which is the bug described in comment 4 on that issue.

Comment 5 by scott.he...@gmail.com, Apr 7 2016 

Ahh, ok. There is an error displayed from the report-only policy, which is why I thought it differed to the issue you linked, but on closer inspection it's because that's the only thing on the page blocked by the report-only policy and not the enforced policy... You're correct, this can be be closed as a duplicate. Interesting that it doesn't completely block the report-only header though, it seems to just be on an asset by asset basis?

Comment 6 by est...@chromium.org, Apr 7 2016

Mergedinto: 503730
Status: Duplicate (was: Untriaged)
Yeah, when loading a particular resource, we loop through and check each of the policies, but exit early if one of the policies denies the load.

Sign in to add a comment