[Webkit-unassigned] [Bug 228019] New: SecurityPolicyViolationEvent contains wrong/incomplete values

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Jul 16 02:05:06 PDT 2021 

https://bugs.webkit.org/show_bug.cgi?id=228019

            Bug ID: 228019
           Summary: SecurityPolicyViolationEvent contains wrong/incomplete
                    values
           Product: WebKit
           Version: Safari 14
          Hardware: Unspecified
                OS: iOS 14
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: DOM
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: milankeser at outlook.de

Created attachment 433665

  --> https://bugs.webkit.org/attachment.cgi?id=433665&action=review

Comparison between safari and chrome

SecurityPolicyViolationEvent when fired contains incomplete/wrong fields.

How to reproduce:

 1. define csp rules `connect-src` to something that will block xhrs
 2. trigger an post xhr to some endpoint, for example `https://reqbin.com/echo/post/json`

Observe the securitypolicyviolation event. Blocked url contains only hostname without the path
I will post a screenshot with an scenario that I have

On the left side is safari, and on the right side is chrome.
If we check the blockedURI property we can see that chrome has correct value and on safari only hostname is added. Please note that `/bf` is missing on safari for `blockedURI` + query string.
Also safari seems like it assigned that value to the documentURI but the document url where it happened was on `my localhost IP address` and not on url where xhr was sent.
Additionally documentURI seems like is randomly correct as it sometimes has the right value and sometimes has the value that should be `blockedURI`.

I am doing some comparisons to filter out the xhrs I am sending from these violations ( I am gathering some analytics ) and with incomplete `blockedURI` value I am not able as it can match any xhr if it is sent to a URL relative to the hostname.

Firefox has the correct values all the time also.
I tested this on SAFARI 14, SAFARI 13 and it seems like it happens also on apple mail application.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210716/59dee1f2/attachment.htm>

More information about the webkit-unassigned mailing list