[Webkit-unassigned] [Bug 149000] New: Some extensions triggers CSP violation reports
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Sep 9 07:10:24 PDT 2015
https://bugs.webkit.org/show_bug.cgi?id=149000
Bug ID: 149000
Summary: Some extensions triggers CSP violation reports
Classification: Unclassified
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: New Bugs
Assignee: webkit-unassigned at lists.webkit.org
Reporter: dante3333 at gmail.com
Steps to reproduce the problem:
1. Create a page with a CSP policy (without putting style-src 'unsafe-inline') and with a report uri
2. Open the page
3. Use some extensions like Diigo, Evernote, etc.
4. a report is sent to report-uri
What is the expected behavior?
The extension should not trigger any CSP policy violation, according to wikipedia : browsers and add-ins should be exempt from CSP => https://en.wikipedia.org/wiki/Content_Security_Policy#Browser_add-ons_and_extensions_exemption
What went wrong?
A report is sent to report-uri with safari-extension:// as source, like
blocked-uri: "safari-extension://com.evernote.safari.clipper-q79wdw8yh9"
(which shouldn't be)
The report_uri script gets a CSP violation. Example on one of my websites :
{
"csp-report": {
"document-uri": "http://a11y.nicolas-hoffmann.net/tabs/",
"referrer": "https://www.google.fr/",
"violated-directive": "frame-src 'self' ",
"original-policy": "default-src 'self'; script-src 'self' *.jquery.com ; style-src 'self' 'unsafe-inline' data: ; img-src 'self' data: ; frame-src 'self' ; report-uri /csp-parser.php",
"blocked-uri": "safari-extension://com.wotservicesoy.wot-ff6ww26hl3"
}
}
I don't know if it may help, the same bug is present on Blink: https://code.google.com/p/chromium/issues/detail?id=524356 (with a lot of more details)
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150909/a2c6a763/attachment.html>
More information about the webkit-unassigned
mailing list