Specify sanitizing algorithm of blockedURL, documentURL, sourceFile beyond fragment exclusion #489
Comments
|
Thanks for opening this! You made Firefox's behavior to converge toward Chrome, and today, I just proposed changing Chrome behavior to help webpack users here: crbug/1264789 I agree it would be nice indeed to agree on something to follow. Do you have something in mind? Would you had comment on this implementation? |
ArthurSonzogni
added a commit
to ArthurSonzogni/webappsec-csp
that referenced
this issue
Nov 15, 2021
Omit informations from URLs in reports for: - `blockedURI` - `document-uri` - `referrer` - `source-file` This is the defactor standard implemented in: - Chrome [1] with "StripURLForUseInReports(...)" - Firefox [2] with "StripURIForReporting(...)" - Safari [3] with "deprecatedURLForReporting(...)" The 3 implementations differ slightly. This patch proposes following Chrome's latest one [4], which help resolve bug [5]. See also Firefox & webappsec-csp related issue [6] [7]. [1]: https://source.chromium.org/search?q=StripURLForUseInReport [2]: https://searchfox.org/mozilla-central/search?q=StripURIForReporting [3]: https://github.com/WebKit/WebKit/blob/eea907e63be4676ad5cc56cabe4d00edf109b398/Source/WebCore/page/csp/ContentSecurityPolicy.cpp#L716 [4] https://chromium-review.googlesource.com/c/chromium/src/+/3263879 [5] https://bugs.chromium.org/p/chromium/issues/detail?id=1264789 [6]: w3c#489 [7]: https://bugzilla.mozilla.org/show_bug.cgi?id=1705523
ArthurSonzogni
added a commit
to ArthurSonzogni/webappsec-csp
that referenced
this issue
Nov 15, 2021
Omit informations from URLs in reports for: - `blockedURI` - `document-uri` - `referrer` - `source-file` This is the defactor standard implemented in: - Chrome [1] with "StripURLForUseInReports(...)" - Firefox [2] with "StripURIForReporting(...)" - Safari [3] with "deprecatedURLForReporting(...)" The 3 implementations differ slightly. This patch proposes following Chrome's latest one [4], which help resolve bug [5]. See also Firefox & webappsec-csp related issue [6] [7]. [1]: https://source.chromium.org/search?q=StripURLForUseInReport [2]: https://searchfox.org/mozilla-central/search?q=StripURIForReporting [3]: https://github.com/WebKit/WebKit/blob/eea907e63be4676ad5cc56cabe4d00edf109b398/Source/WebCore/page/csp/ContentSecurityPolicy.cpp#L716 [4] https://chromium-review.googlesource.com/c/chromium/src/+/3263879 [5] https://bugs.chromium.org/p/chromium/issues/detail?id=1264789 [6]: w3c#489 [7]: https://bugzilla.mozilla.org/show_bug.cgi?id=1705523
ArthurSonzogni
added a commit
to ArthurSonzogni/webappsec-csp
that referenced
this issue
Nov 15, 2021
Omit informations from URLs in reports for: - `blockedURI` - `document-uri` - `referrer` - `source-file` This is the defactor standard implemented in: - [Chrome] with "StripURLForUseInReports(...)" - [Firefox] with "StripURIForReporting(...)" - [Safari] with "deprecatedURLForReporting(...)" The 3 implementations differ slightly. This patch proposes following [Chrome's patch], which help resolve this [user's need]. See also related [firefox issue] and [webappsec-csp issue]. [Chrome]: https://source.chromium.org/search?q=StripURLForUseInReport [Firefox]: https://searchfox.org/mozilla-central/search?q=StripURIForReporting [Safari]: https://github.com/WebKit/WebKit/blob/eea907e63be4676ad5cc56cabe4d00edf109b398/Source/WebCore/page/csp/ContentSecurityPolicy.cpp#L716 [Chrome's patch] https://chromium-review.googlesource.com/c/chromium/src/+/3263879 [user's need] https://bugs.chromium.org/p/chromium/issues/detail?id=1264789 [firefox issue]: w3c#489 [webappsec-csp issue]: https://bugzilla.mozilla.org/show_bug.cgi?id=1705523
ArthurSonzogni
added a commit
to ArthurSonzogni/webappsec-csp
that referenced
this issue
Nov 15, 2021
Omit informations from URLs in reports for: - `blockedURI` - `document-uri` - `referrer` - `source-file` This is the defactor standard implemented in: - [Chrome] with `StripURLForUseInReports(...)` - [Firefox] with `StripURIForReporting(...)` - [Safari] with `deprecatedURLForReporting(...)` The 3 implementations differ slightly. This patch proposes following [Chrome's patch], which help resolve this [user's need]. See also related [firefox issue] and [webappsec-csp issue]. [Chrome]: https://source.chromium.org/search?q=StripURLForUseInReport [Firefox]: https://searchfox.org/mozilla-central/search?q=StripURIForReporting [Safari]: https://github.com/WebKit/WebKit/blob/eea907e63be4676ad5cc56cabe4d00edf109b398/Source/WebCore/page/csp/ContentSecurityPolicy.cpp#L716 [Chrome's patch]: https://chromium-review.googlesource.com/c/chromium/src/+/3263879 [user's need]: https://bugs.chromium.org/p/chromium/issues/detail?id=1264789 [firefox issue]: w3c#489 [webappsec-csp issue]: https://bugzilla.mozilla.org/show_bug.cgi?id=1705523
ArthurSonzogni
added a commit
to ArthurSonzogni/webappsec-csp
that referenced
this issue
Nov 15, 2021
Omit informations from URLs in reports for: - `blockedURI` - `document-uri` - `referrer` - `source-file` This is the defactor standard implemented in: - [Chrome] with `StripURLForUseInReports(...)` - [Firefox] with `StripURIForReporting(...)` - [Safari] with `deprecatedURLForReporting(...)` The 3 implementations differ slightly. This patch proposes following [Chrome's patch], which help resolve this [user's need]. See also related [firefox issue] and [webappsec-csp issue]. [Chrome]: https://source.chromium.org/search?q=StripURLForUseInReport [Firefox]: https://searchfox.org/mozilla-central/search?q=StripURIForReporting [Safari]: https://github.com/WebKit/WebKit/blob/eea907e63be4676ad5cc56cabe4d00edf109b398/Source/WebCore/page/csp/ContentSecurityPolicy.cpp#L716 [Chrome's patch]: https://chromium-review.googlesource.com/c/chromium/src/+/3263879 [user's need]: https://bugs.chromium.org/p/chromium/issues/detail?id=1264789 [firefox issue]: https://bugzilla.mozilla.org/show_bug.cgi?id=1705523 [webappsec-csp issue]: w3c#489
ArthurSonzogni
added a commit
to ArthurSonzogni/webappsec-csp
that referenced
this issue
Nov 15, 2021
Omit informations from URLs in reports for: - `blockedURI` - `document-uri` - `referrer` - `source-file` This is the defactor standard implemented in: - [Chrome] with `StripURLForUseInReports(...)` - [Firefox] with `StripURIForReporting(...)` - [Safari] with `deprecatedURLForReporting(...)` The 3 implementations differ slightly. This patch proposes following [Chrome's patch], which help resolve this [user's need]. See also related [firefox issue] and [webappsec-csp issue]. [Chrome]: https://source.chromium.org/search?q=StripURLForUseInReport [Firefox]: https://searchfox.org/mozilla-central/search?q=StripURIForReporting [Safari]: https://github.com/WebKit/WebKit/blob/eea907e63be4676ad5cc56cabe4d00edf109b398/Source/WebCore/page/csp/ContentSecurityPolicy.cpp#L716 [Chrome's patch]: https://chromium-review.googlesource.com/c/chromium/src/+/3263879 [user's need]: https://bugs.chromium.org/p/chromium/issues/detail?id=1264789 [firefox issue]: https://bugzilla.mozilla.org/show_bug.cgi?id=1705523 [webappsec-csp issue]: w3c#489
ArthurSonzogni
added a commit
to ArthurSonzogni/webappsec-csp
that referenced
this issue
Nov 16, 2021
Omit informations from URLs in reports for: - `blockedURI` - `document-uri` - `referrer` - `source-file` This is the defactor standard implemented in: - [Chrome] with `StripURLForUseInReports(...)` - [Firefox] with `StripURIForReporting(...)` - [Safari] with `deprecatedURLForReporting(...)` The 3 implementations differ slightly. This patch proposes following [Chrome's patch], which help resolve this [user's need]. See also related [firefox issue] and [webappsec-csp issue]. [Chrome]: https://source.chromium.org/search?q=StripURLForUseInReport [Firefox]: https://searchfox.org/mozilla-central/search?q=StripURIForReporting [Safari]: https://github.com/WebKit/WebKit/blob/eea907e63be4676ad5cc56cabe4d00edf109b398/Source/WebCore/page/csp/ContentSecurityPolicy.cpp#L716 [Chrome's patch]: https://chromium-review.googlesource.com/c/chromium/src/+/3263879 [user's need]: https://bugs.chromium.org/p/chromium/issues/detail?id=1264789 [firefox issue]: https://bugzilla.mozilla.org/show_bug.cgi?id=1705523 [webappsec-csp issue]: w3c#489
I commented here: #527 (comment) |
ArthurSonzogni
added a commit
that referenced
this issue
Nov 22, 2021
* Introduce "Strip URL for use in reports". Omit informations from URLs in reports for: - `blockedURI` - `document-uri` - `referrer` - `source-file` This is the defactor standard implemented in: - [Chrome] with `StripURLForUseInReports(...)` - [Firefox] with `StripURIForReporting(...)` - [Safari] with `deprecatedURLForReporting(...)` The 3 implementations differ slightly. This patch proposes following [Chrome's patch], which help resolve this [user's need]. See also related [firefox issue] and [webappsec-csp issue]. [Chrome]: https://source.chromium.org/search?q=StripURLForUseInReport [Firefox]: https://searchfox.org/mozilla-central/search?q=StripURIForReporting [Safari]: https://github.com/WebKit/WebKit/blob/eea907e63be4676ad5cc56cabe4d00edf109b398/Source/WebCore/page/csp/ContentSecurityPolicy.cpp#L716 [Chrome's patch]: https://chromium-review.googlesource.com/c/chromium/src/+/3263879 [user's need]: https://bugs.chromium.org/p/chromium/issues/detail?id=1264789 [firefox issue]: https://bugzilla.mozilla.org/show_bug.cgi?id=1705523 [webappsec-csp issue]: #489 * Apply suggestions from annevk@ review #1 Co-authored-by: Anne van Kesteren <annevk@annevk.nl> * Address annevk@ comments #2 * Address @annevk comments. * Nit * Switch toward an allowlist * Remove wss/ws/ftp * Update index.bs Co-authored-by: Anne van Kesteren <annevk@annevk.nl> Co-authored-by: Anne van Kesteren <annevk@annevk.nl>
|
Specification added in #527 |
ryandel8834
added a commit
to ryandel8834/WebAppSec-CSP
that referenced
this issue
Aug 13, 2022
* Introduce "Strip URL for use in reports". Omit informations from URLs in reports for: - `blockedURI` - `document-uri` - `referrer` - `source-file` This is the defactor standard implemented in: - [Chrome] with `StripURLForUseInReports(...)` - [Firefox] with `StripURIForReporting(...)` - [Safari] with `deprecatedURLForReporting(...)` The 3 implementations differ slightly. This patch proposes following [Chrome's patch], which help resolve this [user's need]. See also related [firefox issue] and [webappsec-csp issue]. [Chrome]: https://source.chromium.org/search?q=StripURLForUseInReport [Firefox]: https://searchfox.org/mozilla-central/search?q=StripURIForReporting [Safari]: https://github.com/WebKit/WebKit/blob/eea907e63be4676ad5cc56cabe4d00edf109b398/Source/WebCore/page/csp/ContentSecurityPolicy.cpp#L716 [Chrome's patch]: https://chromium-review.googlesource.com/c/chromium/src/+/3263879 [user's need]: https://bugs.chromium.org/p/chromium/issues/detail?id=1264789 [firefox issue]: https://bugzilla.mozilla.org/show_bug.cgi?id=1705523 [webappsec-csp issue]: w3c/webappsec-csp#489 * Apply suggestions from annevk@ review #1 Co-authored-by: Anne van Kesteren <annevk@annevk.nl> * Address annevk@ comments #2 * Address @annevk comments. * Nit * Switch toward an allowlist * Remove wss/ws/ftp * Update index.bs Co-authored-by: Anne van Kesteren <annevk@annevk.nl> Co-authored-by: Anne van Kesteren <annevk@annevk.nl>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When a CSP violation report is generated, the current spec text specifies that the URL minus the reference fragment should be reported, as shown below. I propose to (re-)introduce a section like the "strip uri for reporting" section from CSP2 (which disappeared from CSP3) that describes the algorithm that more closely matches the de facto behavior: The full URL minus reference fragment is only reported for http(s), ftp, ws(s). In other cases the scheme is reported instead.
References to implementation:
StripURLForUseInReport- https://source.chromium.org/chromium/chromium/src/+/master:third_party/blink/renderer/core/frame/csp/content_security_policy.cc;l=864;drc=efb0f6367a11f87129195032753f332b925ecf5fStripURIForReporting- https://searchfox.org/mozilla-central/rev/0b90e582d2f592a30713bafc55bfeb0e39e1a1fa/dom/security/nsCSPContext.cpp#935-963More context and history is at https://bugzilla.mozilla.org/show_bug.cgi?id=1705523 . In there I added two wpt files to confirm this behavior with blob: and data:-URLs.
Current spec text:
The text was updated successfully, but these errors were encountered: