New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 606774 link

Starred by 3 users
Status: Fixed
Owner:
mkwst@chromium.org
Buried. Ping if important.
Closed: Apr 2017
Cc:
mkwst@chromium.org
jww@chromium.org
dved...@mozilla.org
est...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Feature



Sign in to add a comment

CSP - Provide script-sample in Content-Security-Policy violation report to ease false-positive detection

Reported by imp...@gmail.com, Apr 26 2016 
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.86 Safari/537.36

Steps to reproduce the problem:
1. Display a web page that use CSP without "unsafe-inline" directive
2. Gather the directive violation report using the CSP report-uri directive
3. Chromium does not provide "script-sample" property in the violation report payload

What is the expected behavior?
Firefox provides as "script-sample" property that ease a lot the false positive detection.

What went wrong?
Nothing went wrong, it's a feature request. At the moment, it's difficult to detect whether there's an issue in the generated content or if it's a third party extension that triggered the CSP violation.

Did this work before? No 

Chrome version: 50.0.2661.86  Channel: stable
OS Version: OS X 10.11.4
Flash Version: Shockwave Flash 21.0 r0

As a resource, here's the piece of code of gecko that adds this property https://github.com/mozilla/gecko-dev/blob/3c5ee70a185407483b2040a3d32fa6da7f91560f/dom/security/nsCSPContext.cpp#L840-L844

Comment 1 by rsesek@chromium.org, Apr 26 2016

Cc: jww@chromium.org est...@chromium.org
Components: Blink>SecurityFeature
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam -OS-Mac OS-All Type-Feature
Status: Untriaged (was: Unconfirmed)

Comment 2 by est...@chromium.org, Apr 26 2016

Cc: mkwst@chromium.org

Comment 3 by mkwst@chromium.org, Apr 26 2016

Cc: dved...@mozilla.org
We didn't add `script-sample` to the spec because it can reveal details of cross-origin scripts (which might include interesting data in cases like JSONP). Firefox is violating the spec, and it's not clear to me why they've decided that it's safe.

With regard to extensions, we shouldn't be sending reports for extensions. If we are, _that_'s the bug. Reproduction cases welcome... :)

Comment 4 by imp...@gmail.com, Apr 27 2016 

Hello,

Thanks for your answer. 
I believe you, but I don't see how some details could be revealed by implementing this. Could you explain me how sensitive details could be exposed via a script-sample?

Thanks

Comment 5 by mkwst@chromium.org, Feb 23 2017

Owner: mkwst@chromium.org
Status: Assigned (was: Untriaged)
Exploring an approach to this that's opt-in and inline-only: https://github.com/w3c/webappsec-csp/issues/119
Project Member

Comment 6 by bugdroid1@chromium.org, Mar 2 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f98f5c2ccea76c9d7e76646369e2f51e0c926521

commit f98f5c2ccea76c9d7e76646369e2f51e0c926521
Author: mkwst <mkwst@chromium.org>
Date: Thu Mar 02 11:09:47 2017

CSP: Add 'sample' to violation reports.

This patch sketches out a 'sample' attribute similar to what Firefox
has been shipping as 'script-sample' for eons. The key distinctions are:

1.  This approach requires opt-in from the site, via a new
    `'report-sample'` expression in the relevant directive.

2.  We're including inline style violations as well.

Let's see how the spec discussion goes.

Spec: https://github.com/w3c/webappsec-csp/issues/119
Intent to Implement: https://groups.google.com/a/chromium.org/d/msg/blink-dev/6W9r_sX3zTQ/5XCSBUQBEAAJ

BUG= 606774 

Review-Url: https://codereview.chromium.org/2436003002
Cr-Commit-Position: refs/heads/master@{#454232}

[modify] https://crrev.com/f98f5c2ccea76c9d7e76646369e2f51e0c926521/third_party/WebKit/LayoutTests/external/wpt/MANIFEST.json
[add] https://crrev.com/f98f5c2ccea76c9d7e76646369e2f51e0c926521/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/securitypolicyviolation/script-sample-no-opt-in.html
[add] https://crrev.com/f98f5c2ccea76c9d7e76646369e2f51e0c926521/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/securitypolicyviolation/script-sample.html
[add] https://crrev.com/f98f5c2ccea76c9d7e76646369e2f51e0c926521/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/securitypolicyviolation/style-sample-no-opt-in.html
[add] https://crrev.com/f98f5c2ccea76c9d7e76646369e2f51e0c926521/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/securitypolicyviolation/style-sample.html
[modify] https://crrev.com/f98f5c2ccea76c9d7e76646369e2f51e0c926521/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt
[modify] https://crrev.com/f98f5c2ccea76c9d7e76646369e2f51e0c926521/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked-and-sends-report-expected.txt
[modify] https://crrev.com/f98f5c2ccea76c9d7e76646369e2f51e0c926521/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt
[modify] https://crrev.com/f98f5c2ccea76c9d7e76646369e2f51e0c926521/third_party/WebKit/LayoutTests/webexposed/global-interface-listing-expected.txt
[modify] https://crrev.com/f98f5c2ccea76c9d7e76646369e2f51e0c926521/third_party/WebKit/Source/bindings/core/v8/ScriptController.cpp
[modify] https://crrev.com/f98f5c2ccea76c9d7e76646369e2f51e0c926521/third_party/WebKit/Source/core/events/SecurityPolicyViolationEvent.cpp
[modify] https://crrev.com/f98f5c2ccea76c9d7e76646369e2f51e0c926521/third_party/WebKit/Source/core/events/SecurityPolicyViolationEvent.h
[modify] https://crrev.com/f98f5c2ccea76c9d7e76646369e2f51e0c926521/third_party/WebKit/Source/core/events/SecurityPolicyViolationEvent.idl
[modify] https://crrev.com/f98f5c2ccea76c9d7e76646369e2f51e0c926521/third_party/WebKit/Source/core/events/SecurityPolicyViolationEventInit.idl
[modify] https://crrev.com/f98f5c2ccea76c9d7e76646369e2f51e0c926521/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp
[modify] https://crrev.com/f98f5c2ccea76c9d7e76646369e2f51e0c926521/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.h
[modify] https://crrev.com/f98f5c2ccea76c9d7e76646369e2f51e0c926521/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
[modify] https://crrev.com/f98f5c2ccea76c9d7e76646369e2f51e0c926521/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h
[modify] https://crrev.com/f98f5c2ccea76c9d7e76646369e2f51e0c926521/third_party/WebKit/Source/core/frame/csp/SourceListDirective.cpp
[modify] https://crrev.com/f98f5c2ccea76c9d7e76646369e2f51e0c926521/third_party/WebKit/Source/core/frame/csp/SourceListDirective.h
[modify] https://crrev.com/f98f5c2ccea76c9d7e76646369e2f51e0c926521/third_party/WebKit/Source/core/html/HTMLFrameElementBase.cpp
[modify] https://crrev.com/f98f5c2ccea76c9d7e76646369e2f51e0c926521/third_party/WebKit/Source/web/WebPluginContainerImpl.cpp
Project Member

Comment 7 by bugdroid1@chromium.org, Mar 23 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d6603f841ad186aa86c7df158b549c88da23c27b

commit d6603f841ad186aa86c7df158b549c88da23c27b
Author: andypaicu <andypaicu@chromium.org>
Date: Thu Mar 23 14:38:52 2017

Changed sample to script-sample in security policy violation events

Spec: https://w3c.github.io/webappsec-csp/#deprecated-serialize-violation

BUG= 606774 

Review-Url: https://codereview.chromium.org/2772783002
Cr-Commit-Position: refs/heads/master@{#459079}

[modify] https://crrev.com/d6603f841ad186aa86c7df158b549c88da23c27b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt
[modify] https://crrev.com/d6603f841ad186aa86c7df158b549c88da23c27b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked-and-sends-report-expected.txt
[modify] https://crrev.com/d6603f841ad186aa86c7df158b549c88da23c27b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt
[modify] https://crrev.com/d6603f841ad186aa86c7df158b549c88da23c27b/third_party/WebKit/Source/core/events/SecurityPolicyViolationEvent.idl
[modify] https://crrev.com/d6603f841ad186aa86c7df158b549c88da23c27b/third_party/WebKit/Source/core/events/SecurityPolicyViolationEventInit.idl
[modify] https://crrev.com/d6603f841ad186aa86c7df158b549c88da23c27b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
Project Member

Comment 8 by bugdroid1@chromium.org, Mar 30 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/28a45cda9497b44af350076f427695fb98ef6bd6

commit 28a45cda9497b44af350076f427695fb98ef6bd6
Author: andypaicu <andypaicu@chromium.org>
Date: Thu Mar 30 11:51:10 2017

Removed experimental features check for the "script-sample" feature

Received 3 LGTMs in the intent to ship:
https://groups.google.com/a/chromium.org/d/msg/blink-dev/XlcpobBfJOI/8WYpiyk0CQAJ
Spec: https://w3c.github.io/webappsec-csp/#deprecated-serialize-violation

BUG= 606774 

Review-Url: https://codereview.chromium.org/2784673005
Cr-Commit-Position: refs/heads/master@{#460725}

[modify] https://crrev.com/28a45cda9497b44af350076f427695fb98ef6bd6/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode-and-sends-report-expected.txt
[modify] https://crrev.com/28a45cda9497b44af350076f427695fb98ef6bd6/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt
[modify] https://crrev.com/28a45cda9497b44af350076f427695fb98ef6bd6/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt
[modify] https://crrev.com/28a45cda9497b44af350076f427695fb98ef6bd6/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt
[modify] https://crrev.com/28a45cda9497b44af350076f427695fb98ef6bd6/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt
[modify] https://crrev.com/28a45cda9497b44af350076f427695fb98ef6bd6/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt
[modify] https://crrev.com/28a45cda9497b44af350076f427695fb98ef6bd6/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt
[modify] https://crrev.com/28a45cda9497b44af350076f427695fb98ef6bd6/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt
[modify] https://crrev.com/28a45cda9497b44af350076f427695fb98ef6bd6/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt
[modify] https://crrev.com/28a45cda9497b44af350076f427695fb98ef6bd6/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt
[modify] https://crrev.com/28a45cda9497b44af350076f427695fb98ef6bd6/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt
[modify] https://crrev.com/28a45cda9497b44af350076f427695fb98ef6bd6/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript-expected.txt
[modify] https://crrev.com/28a45cda9497b44af350076f427695fb98ef6bd6/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-javascript-expected.txt
[modify] https://crrev.com/28a45cda9497b44af350076f427695fb98ef6bd6/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-multiple-expected.txt
[modify] https://crrev.com/28a45cda9497b44af350076f427695fb98ef6bd6/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-multiple-reversed-expected.txt
[modify] https://crrev.com/28a45cda9497b44af350076f427695fb98ef6bd6/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt
[modify] https://crrev.com/28a45cda9497b44af350076f427695fb98ef6bd6/third_party/WebKit/LayoutTests/platform/mac/virtual/stable/webexposed/global-interface-listing-expected.txt
[modify] https://crrev.com/28a45cda9497b44af350076f427695fb98ef6bd6/third_party/WebKit/LayoutTests/platform/win/virtual/stable/webexposed/global-interface-listing-expected.txt
[modify] https://crrev.com/28a45cda9497b44af350076f427695fb98ef6bd6/third_party/WebKit/Source/core/events/SecurityPolicyViolationEvent.idl
[modify] https://crrev.com/28a45cda9497b44af350076f427695fb98ef6bd6/third_party/WebKit/Source/core/events/SecurityPolicyViolationEventInit.idl
[modify] https://crrev.com/28a45cda9497b44af350076f427695fb98ef6bd6/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
[modify] https://crrev.com/28a45cda9497b44af350076f427695fb98ef6bd6/third_party/WebKit/Source/core/frame/csp/SourceListDirective.cpp

Comment 9 by andypaicu@chromium.org, Apr 5 2017

Status: Fixed (was: Assigned)

Sign in to add a comment