-
Notifications
You must be signed in to change notification settings - Fork 78
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Specify sanitizing algorithm of blockedURL, documentURL, sourceFile beyond fragment exclusion #489
Comments
Thanks for opening this! You made Firefox's behavior to converge toward Chrome, and today, I just proposed changing Chrome behavior to help webpack users here: crbug/1264789 I agree it would be nice indeed to agree on something to follow. Do you have something in mind? Would you had comment on this implementation? |
Omit informations from URLs in reports for: - `blockedURI` - `document-uri` - `referrer` - `source-file` This is the defactor standard implemented in: - Chrome [1] with "StripURLForUseInReports(...)" - Firefox [2] with "StripURIForReporting(...)" - Safari [3] with "deprecatedURLForReporting(...)" The 3 implementations differ slightly. This patch proposes following Chrome's latest one [4], which help resolve bug [5]. See also Firefox & webappsec-csp related issue [6] [7]. [1]: https://source.chromium.org/search?q=StripURLForUseInReport [2]: https://searchfox.org/mozilla-central/search?q=StripURIForReporting [3]: https://github.com/WebKit/WebKit/blob/eea907e63be4676ad5cc56cabe4d00edf109b398/Source/WebCore/page/csp/ContentSecurityPolicy.cpp#L716 [4] https://chromium-review.googlesource.com/c/chromium/src/+/3263879 [5] https://bugs.chromium.org/p/chromium/issues/detail?id=1264789 [6]: w3c#489 [7]: https://bugzilla.mozilla.org/show_bug.cgi?id=1705523
Omit informations from URLs in reports for: - `blockedURI` - `document-uri` - `referrer` - `source-file` This is the defactor standard implemented in: - Chrome [1] with "StripURLForUseInReports(...)" - Firefox [2] with "StripURIForReporting(...)" - Safari [3] with "deprecatedURLForReporting(...)" The 3 implementations differ slightly. This patch proposes following Chrome's latest one [4], which help resolve bug [5]. See also Firefox & webappsec-csp related issue [6] [7]. [1]: https://source.chromium.org/search?q=StripURLForUseInReport [2]: https://searchfox.org/mozilla-central/search?q=StripURIForReporting [3]: https://github.com/WebKit/WebKit/blob/eea907e63be4676ad5cc56cabe4d00edf109b398/Source/WebCore/page/csp/ContentSecurityPolicy.cpp#L716 [4] https://chromium-review.googlesource.com/c/chromium/src/+/3263879 [5] https://bugs.chromium.org/p/chromium/issues/detail?id=1264789 [6]: w3c#489 [7]: https://bugzilla.mozilla.org/show_bug.cgi?id=1705523
Omit informations from URLs in reports for: - `blockedURI` - `document-uri` - `referrer` - `source-file` This is the defactor standard implemented in: - [Chrome] with "StripURLForUseInReports(...)" - [Firefox] with "StripURIForReporting(...)" - [Safari] with "deprecatedURLForReporting(...)" The 3 implementations differ slightly. This patch proposes following [Chrome's patch], which help resolve this [user's need]. See also related [firefox issue] and [webappsec-csp issue]. [Chrome]: https://source.chromium.org/search?q=StripURLForUseInReport [Firefox]: https://searchfox.org/mozilla-central/search?q=StripURIForReporting [Safari]: https://github.com/WebKit/WebKit/blob/eea907e63be4676ad5cc56cabe4d00edf109b398/Source/WebCore/page/csp/ContentSecurityPolicy.cpp#L716 [Chrome's patch] https://chromium-review.googlesource.com/c/chromium/src/+/3263879 [user's need] https://bugs.chromium.org/p/chromium/issues/detail?id=1264789 [firefox issue]: w3c#489 [webappsec-csp issue]: https://bugzilla.mozilla.org/show_bug.cgi?id=1705523
Omit informations from URLs in reports for: - `blockedURI` - `document-uri` - `referrer` - `source-file` This is the defactor standard implemented in: - [Chrome] with `StripURLForUseInReports(...)` - [Firefox] with `StripURIForReporting(...)` - [Safari] with `deprecatedURLForReporting(...)` The 3 implementations differ slightly. This patch proposes following [Chrome's patch], which help resolve this [user's need]. See also related [firefox issue] and [webappsec-csp issue]. [Chrome]: https://source.chromium.org/search?q=StripURLForUseInReport [Firefox]: https://searchfox.org/mozilla-central/search?q=StripURIForReporting [Safari]: https://github.com/WebKit/WebKit/blob/eea907e63be4676ad5cc56cabe4d00edf109b398/Source/WebCore/page/csp/ContentSecurityPolicy.cpp#L716 [Chrome's patch]: https://chromium-review.googlesource.com/c/chromium/src/+/3263879 [user's need]: https://bugs.chromium.org/p/chromium/issues/detail?id=1264789 [firefox issue]: w3c#489 [webappsec-csp issue]: https://bugzilla.mozilla.org/show_bug.cgi?id=1705523
Omit informations from URLs in reports for: - `blockedURI` - `document-uri` - `referrer` - `source-file` This is the defactor standard implemented in: - [Chrome] with `StripURLForUseInReports(...)` - [Firefox] with `StripURIForReporting(...)` - [Safari] with `deprecatedURLForReporting(...)` The 3 implementations differ slightly. This patch proposes following [Chrome's patch], which help resolve this [user's need]. See also related [firefox issue] and [webappsec-csp issue]. [Chrome]: https://source.chromium.org/search?q=StripURLForUseInReport [Firefox]: https://searchfox.org/mozilla-central/search?q=StripURIForReporting [Safari]: https://github.com/WebKit/WebKit/blob/eea907e63be4676ad5cc56cabe4d00edf109b398/Source/WebCore/page/csp/ContentSecurityPolicy.cpp#L716 [Chrome's patch]: https://chromium-review.googlesource.com/c/chromium/src/+/3263879 [user's need]: https://bugs.chromium.org/p/chromium/issues/detail?id=1264789 [firefox issue]: https://bugzilla.mozilla.org/show_bug.cgi?id=1705523 [webappsec-csp issue]: w3c#489
Omit informations from URLs in reports for: - `blockedURI` - `document-uri` - `referrer` - `source-file` This is the defactor standard implemented in: - [Chrome] with `StripURLForUseInReports(...)` - [Firefox] with `StripURIForReporting(...)` - [Safari] with `deprecatedURLForReporting(...)` The 3 implementations differ slightly. This patch proposes following [Chrome's patch], which help resolve this [user's need]. See also related [firefox issue] and [webappsec-csp issue]. [Chrome]: https://source.chromium.org/search?q=StripURLForUseInReport [Firefox]: https://searchfox.org/mozilla-central/search?q=StripURIForReporting [Safari]: https://github.com/WebKit/WebKit/blob/eea907e63be4676ad5cc56cabe4d00edf109b398/Source/WebCore/page/csp/ContentSecurityPolicy.cpp#L716 [Chrome's patch]: https://chromium-review.googlesource.com/c/chromium/src/+/3263879 [user's need]: https://bugs.chromium.org/p/chromium/issues/detail?id=1264789 [firefox issue]: https://bugzilla.mozilla.org/show_bug.cgi?id=1705523 [webappsec-csp issue]: w3c#489
Omit informations from URLs in reports for: - `blockedURI` - `document-uri` - `referrer` - `source-file` This is the defactor standard implemented in: - [Chrome] with `StripURLForUseInReports(...)` - [Firefox] with `StripURIForReporting(...)` - [Safari] with `deprecatedURLForReporting(...)` The 3 implementations differ slightly. This patch proposes following [Chrome's patch], which help resolve this [user's need]. See also related [firefox issue] and [webappsec-csp issue]. [Chrome]: https://source.chromium.org/search?q=StripURLForUseInReport [Firefox]: https://searchfox.org/mozilla-central/search?q=StripURIForReporting [Safari]: https://github.com/WebKit/WebKit/blob/eea907e63be4676ad5cc56cabe4d00edf109b398/Source/WebCore/page/csp/ContentSecurityPolicy.cpp#L716 [Chrome's patch]: https://chromium-review.googlesource.com/c/chromium/src/+/3263879 [user's need]: https://bugs.chromium.org/p/chromium/issues/detail?id=1264789 [firefox issue]: https://bugzilla.mozilla.org/show_bug.cgi?id=1705523 [webappsec-csp issue]: w3c#489
I commented here: #527 (comment) |
* Introduce "Strip URL for use in reports". Omit informations from URLs in reports for: - `blockedURI` - `document-uri` - `referrer` - `source-file` This is the defactor standard implemented in: - [Chrome] with `StripURLForUseInReports(...)` - [Firefox] with `StripURIForReporting(...)` - [Safari] with `deprecatedURLForReporting(...)` The 3 implementations differ slightly. This patch proposes following [Chrome's patch], which help resolve this [user's need]. See also related [firefox issue] and [webappsec-csp issue]. [Chrome]: https://source.chromium.org/search?q=StripURLForUseInReport [Firefox]: https://searchfox.org/mozilla-central/search?q=StripURIForReporting [Safari]: https://github.com/WebKit/WebKit/blob/eea907e63be4676ad5cc56cabe4d00edf109b398/Source/WebCore/page/csp/ContentSecurityPolicy.cpp#L716 [Chrome's patch]: https://chromium-review.googlesource.com/c/chromium/src/+/3263879 [user's need]: https://bugs.chromium.org/p/chromium/issues/detail?id=1264789 [firefox issue]: https://bugzilla.mozilla.org/show_bug.cgi?id=1705523 [webappsec-csp issue]: #489 * Apply suggestions from annevk@ review #1 Co-authored-by: Anne van Kesteren <annevk@annevk.nl> * Address annevk@ comments #2 * Address @annevk comments. * Nit * Switch toward an allowlist * Remove wss/ws/ftp * Update index.bs Co-authored-by: Anne van Kesteren <annevk@annevk.nl> Co-authored-by: Anne van Kesteren <annevk@annevk.nl>
Specification added in #527 |
* Introduce "Strip URL for use in reports". Omit informations from URLs in reports for: - `blockedURI` - `document-uri` - `referrer` - `source-file` This is the defactor standard implemented in: - [Chrome] with `StripURLForUseInReports(...)` - [Firefox] with `StripURIForReporting(...)` - [Safari] with `deprecatedURLForReporting(...)` The 3 implementations differ slightly. This patch proposes following [Chrome's patch], which help resolve this [user's need]. See also related [firefox issue] and [webappsec-csp issue]. [Chrome]: https://source.chromium.org/search?q=StripURLForUseInReport [Firefox]: https://searchfox.org/mozilla-central/search?q=StripURIForReporting [Safari]: https://github.com/WebKit/WebKit/blob/eea907e63be4676ad5cc56cabe4d00edf109b398/Source/WebCore/page/csp/ContentSecurityPolicy.cpp#L716 [Chrome's patch]: https://chromium-review.googlesource.com/c/chromium/src/+/3263879 [user's need]: https://bugs.chromium.org/p/chromium/issues/detail?id=1264789 [firefox issue]: https://bugzilla.mozilla.org/show_bug.cgi?id=1705523 [webappsec-csp issue]: w3c/webappsec-csp#489 * Apply suggestions from annevk@ review #1 Co-authored-by: Anne van Kesteren <annevk@annevk.nl> * Address annevk@ comments #2 * Address @annevk comments. * Nit * Switch toward an allowlist * Remove wss/ws/ftp * Update index.bs Co-authored-by: Anne van Kesteren <annevk@annevk.nl> Co-authored-by: Anne van Kesteren <annevk@annevk.nl>
When a CSP violation report is generated, the current spec text specifies that the URL minus the reference fragment should be reported, as shown below. I propose to (re-)introduce a section like the "strip uri for reporting" section from CSP2 (which disappeared from CSP3) that describes the algorithm that more closely matches the de facto behavior: The full URL minus reference fragment is only reported for http(s), ftp, ws(s). In other cases the scheme is reported instead.
References to implementation:
StripURLForUseInReport
- https://source.chromium.org/chromium/chromium/src/+/master:third_party/blink/renderer/core/frame/csp/content_security_policy.cc;l=864;drc=efb0f6367a11f87129195032753f332b925ecf5fStripURIForReporting
- https://searchfox.org/mozilla-central/rev/0b90e582d2f592a30713bafc55bfeb0e39e1a1fa/dom/security/nsCSPContext.cpp#935-963More context and history is at https://bugzilla.mozilla.org/show_bug.cgi?id=1705523 . In there I added two wpt files to confirm this behavior with blob: and data:-URLs.
Current spec text:
The text was updated successfully, but these errors were encountered: