New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 613960 link

Starred by 2 users
Status: Started
Owner:
mkwst@chromium.org
Buried. Ping if important.
Cc:
hillb...@gmail.com
scott.he...@gmail.com
jww@chromium.org
est...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

CSP violation reports should contain the original URL of a blocked resource.

Project Member Reported by mkwst@chromium.org, May 23 2016 
Given a policy which blocks `<img src='https://example.test/img.jpg'>` directly, the report should contain `https://example.test/img.jpg`.

If that URL is allowed, but redirects to `https://example.test/other.jpg`, which is blocked the report should still contain `https://example.test/img.jpg`.

See the note in https://w3c.github.io/webappsec-csp/#create-violation-for-request for detail.
Project Member

Comment 1 by bugdroid1@chromium.org, May 30 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/7fdaebc90aef59e3501139c327db46d2655a1275

commit 7fdaebc90aef59e3501139c327db46d2655a1275
Author: mkwst <mkwst@chromium.org>
Date: Mon May 30 14:46:20 2016

CSP violation reports should report the pre-redirect URL.

Before this patch, blocked cross-origin resource URLs are stripped down
to their origin before being reported to a policy's `report-uri` (same-origin
resources are reported in full). This doesn't match the specced behavior,
which suggests that we ought to be reporting the originally requested URL,
even if the blocked resource is the result of a redirect.

That is, given a policy which blocks `<img src='https://example.test/img.jpg'>`
directly, the report should contain `https://example.test/img.jpg`. If
that URL is allowed, but redirects to `https://example.test/other.jpg`,
which is blocked the report should still contain `https://example.test/img.jpg`
(see the note in https://w3c.github.io/webappsec-csp/#create-violation-for-request
for detail).

This patch gets us ~halfway there, by altering the behavior of
`stripURLForUseInReport` to take account of the redirect status of the blocked
resource. If it has been redirected, we'll keep the status quo stripping behavior.
If it hasn't been redirected, we'll report the entire URL.

A future patch will get redirects working entirely correctly, but given the
value of reporting for things like mixed content detection, I don't think it's
worth waiting for a full patch; there's enough value here over the
status quo to land it and merge it back a bit.

BUG=613960

Review-Url: https://codereview.chromium.org/2002943002
Cr-Commit-Position: refs/heads/master@{#396726}

[modify] https://crrev.com/7fdaebc90aef59e3501139c327db46d2655a1275/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-deny-expected.txt
[modify] https://crrev.com/7fdaebc90aef59e3501139c327db46d2655a1275/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-deny.html
[modify] https://crrev.com/7fdaebc90aef59e3501139c327db46d2655a1275/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-expected.txt
[modify] https://crrev.com/7fdaebc90aef59e3501139c327db46d2655a1275/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image.html
[modify] https://crrev.com/7fdaebc90aef59e3501139c327db46d2655a1275/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt
[modify] https://crrev.com/7fdaebc90aef59e3501139c327db46d2655a1275/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin.php
[add] https://crrev.com/7fdaebc90aef59e3501139c327db46d2655a1275/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/report-original-url.php
[modify] https://crrev.com/7fdaebc90aef59e3501139c327db46d2655a1275/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/strict-mode-image-blocked.https.html
[modify] https://crrev.com/7fdaebc90aef59e3501139c327db46d2655a1275/third_party/WebKit/LayoutTests/http/tests/security/mixedContent/strict-mode-image-reportonly.https.php
[modify] https://crrev.com/7fdaebc90aef59e3501139c327db46d2655a1275/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp
[modify] https://crrev.com/7fdaebc90aef59e3501139c327db46d2655a1275/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.h
[modify] https://crrev.com/7fdaebc90aef59e3501139c327db46d2655a1275/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
[modify] https://crrev.com/7fdaebc90aef59e3501139c327db46d2655a1275/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h
[modify] https://crrev.com/7fdaebc90aef59e3501139c327db46d2655a1275/third_party/WebKit/Source/core/html/HTMLPlugInElement.cpp
[modify] https://crrev.com/7fdaebc90aef59e3501139c327db46d2655a1275/third_party/WebKit/Source/core/loader/MixedContentChecker.cpp
[modify] https://crrev.com/7fdaebc90aef59e3501139c327db46d2655a1275/third_party/WebKit/Source/core/loader/MixedContentChecker.h

Comment 2 by rbyers@chromium.org, Nov 18 2016

Components: Blink>SecurityFeature

Comment 3 by est...@chromium.org, Nov 10 2017

Labels: Hotlist-EnamelAndFriendsFixIt

Comment 4 by est...@chromium.org, Feb 18 2018

Labels: -Hotlist-EnamelAndFriendsFixIt

Sign in to add a comment