Chrome Version : 50.0.2661.94 (also tested 51 and 52)
URLs (if applicable) : http://lingro.com:81/cgi-bin/csp-both-modes.py
Other browsers tested:
Add OK or FAIL after other browsers where you have tested this issue:
Firefox 46: OK
What steps will reproduce the problem?
1. Create a page setting 2 CSP policies, one in enforcement mode which uses nonces, and one as Content-Security-Policy-Report-Only.
2. Ensure that the policy in enforcement mode has a whitelist which would not permit all scripts to execute, but that every script on the page has a valid nonce -- so that the enforcing policy generates no violations.
3. Ensure that the Report-Only policy causes a violation.
What is the expected result?
The Report-Only policy causes a violation, a report is sent to the report-uri endpoint in the Report-Only policy, and all scripts execute normally.
What happens instead of that?
Chrome behaves as if the violation applied to the enforcing policy, prevents the script from running and reports a violation to the report-uri of the enforcing policy.
Repro case:
Content-Security-Policy: script-src 'nonce-foobar123'; report-uri /enforcing
Content-Security-Policy-Report-Only: script-src 'self'; report-uri /report-only
<html>
<head>
<script nonce="foobar123" src="/cgi-bin/jsonp-log.py?msg=external script in head"></script>
<script nonce="foobar123" src="https://code.jquery.com/jquery-1.11.3.js"></script>
</head>
</html>
In this case both scripts should run, but the code.jquery.com one should report a violation to the /report-only endpoint (this is what happens in FF). Instead, both scripts are blocked and two violations are sent to /enforcing. This is doubly strange because at least the first script should execute (it is allowed by both policies).
When the Report-Only policy is removed, the behavior is as expected (both scripts execute).
Comment 1 by mkwst@chromium.org
, May 13 2016Components: Blink>SecurityFeature
Labels: -Pri-2 Pri-1