[Webkit-unassigned] [Bug 149000] New: Some extensions triggers CSP violation reports

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Sep 9 07:10:24 PDT 2015


            Bug ID: 149000
           Summary: Some extensions triggers CSP violation reports
    Classification: Unclassified
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: New Bugs
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: dante3333 at gmail.com

Steps to reproduce the problem:
1. Create a page with a CSP policy (without putting style-src 'unsafe-inline') and with a report uri
2. Open the page
3. Use some extensions like Diigo, Evernote, etc.
4. a report is sent to report-uri

What is the expected behavior?
The extension should not trigger any CSP policy violation, according to wikipedia : browsers and add-ins should be exempt from CSP => https://en.wikipedia.org/wiki/Content_Security_Policy#Browser_add-ons_and_extensions_exemption

What went wrong?
A report is sent to report-uri with safari-extension:// as source, like
 blocked-uri: "safari-extension://com.evernote.safari.clipper-q79wdw8yh9" 
(which shouldn't be)

The report_uri script gets a CSP violation. Example on one of my websites :

    "csp-report": {
        "document-uri": "http://a11y.nicolas-hoffmann.net/tabs/",
        "referrer": "https://www.google.fr/",
        "violated-directive": "frame-src 'self' ",
        "original-policy": "default-src 'self';  script-src 'self' *.jquery.com  ; style-src 'self' 'unsafe-inline' data:  ; img-src 'self' data: ;  frame-src 'self' ; report-uri /csp-parser.php",
        "blocked-uri": "safari-extension://com.wotservicesoy.wot-ff6ww26hl3"

I don't know if it may help, the same bug is present on Blink: https://code.google.com/p/chromium/issues/detail?id=524356 (with a lot of more details)

You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150909/a2c6a763/attachment.html>

More information about the webkit-unassigned mailing list