[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #23629 [Applications/Tor Browser]: CSP error reports not sent - intended/safe ?
#23629: CSP error reports not sent - intended/safe ?
--------------------------------------+-----------------------------------
Reporter: cypherpunks | Owner: tbb-team
Type: enhancement | Status: needs_information
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+-----------------------------------
Comment (by cypherpunks):
https://photistic.org/photo/seascapes.html
this is due to either some code bugs _and_ only triggers CSP violations
with a firefox browser (not tested with mobile versions)
or, a firefox bug itself
in my opinion i would have thought it better to not send
reports...somebody could set up a report link and maliciously make CSP
errors
example:
{
"csp-report": {
"blocked-uri": "self",
"document-uri": "https://photistic.org/photo/seascapes.html";,
"line-number": 1,
"original-policy": "default-src 'none'; connect-src
https://photistic.org; font-src https://photistic.org; img-src data:
https://photistic.org; script-src https://photistic.org; style-src
https://photistic.org; upgrade-insecure-requests; report-uri
https://photistic.report-uri.io/r/default/csp/enforce";,
"script-sample": "@font-face {font-family:\"font\";src:url(\"...",
"source-file": "https://photistic.org/photo/seascapes.html";,
"violated-directive": "style-src https://photistic.org";
}
}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/23629#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs