Browser does not send CSP violation reports when utilizing HTTP2
Reported by
kristian...@gmail.com,
May 16 2016
|
|||||
Issue descriptionUserAgent: Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.96 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) Steps to reproduce the problem: 1. Ensure an HTTP2 stream is enacted to a website that has a CSP violation and a report URL. 2. Notice that no CSP report is sent to the server. What is the expected behavior? Is is expected that a CSP violation will be sent to the CSP report URL. What went wrong? A CSP report was NOT sent. Did this work before? N/A Chrome version: 50.0.2661.102 (64-bit) Channel: stable OS Version: 10.11.4 Flash Version: Shockwave Flash 21.0 r0 Also tested this via HTTP2 in Firefox v46 and the CSP violation report is sent just fine.
,
May 16 2016
Well, I presumed like most people that a Content Security Policy (CSP) report would be sent even when using HTTP2. If not, users and site admins are going to have a false sense of security. I don't see anywhere this discussion that HTTP2 reduces security of sites protected by CSP policies.
,
May 16 2016
Mike, would you mind taking a look at this? I'm also not sure that we need to classify this as a security bug, but I'll leave the decision to you.
,
Apr 18 2017
A report that sounds similar to this bug: http://crbug.com/709958 Since CSP reporting is mostly for debugging and is not a security boundary, I'm making this a regular bug.
,
Nov 10 2017
,
Feb 18 2018
|
|||||
►
Sign in to add a comment |
|||||
Comment 1 by elawrence@chromium.org
, May 16 2016Components: Blink>SecurityFeature
Summary: Browser does not send CSP violation reports when utilizing HTTP2 (was: Browser does not appear to send CSP violation reports when utilizing HTTP2)