[tbb-bugs] #23629 [Applications/Tor Browser]: CSP error reports not sent - intended/safe ?

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat Oct 7 09:09:31 UTC 2017


#23629: CSP error reports not sent - intended/safe ?
--------------------------------------+-----------------------------------
 Reporter:  cypherpunks               |          Owner:  tbb-team
     Type:  enhancement               |         Status:  needs_information
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+-----------------------------------

Comment (by cypherpunks):

 https://photistic.org/photo/seascapes.html

 this is due to either some code bugs _and_ only triggers CSP violations
 with a firefox browser (not tested with mobile versions)

 or, a firefox bug itself

 in my opinion i would have thought it better to not send
 reports...somebody could set up a report link and maliciously make CSP
 errors

 example:

 {
     "csp-report": {
         "blocked-uri": "self",
         "document-uri": "https://photistic.org/photo/seascapes.html",
         "line-number": 1,
         "original-policy": "default-src 'none'; connect-src
 https://photistic.org; font-src https://photistic.org; img-src data:
 https://photistic.org; script-src https://photistic.org; style-src
 https://photistic.org; upgrade-insecure-requests; report-uri
 https://photistic.report-uri.io/r/default/csp/enforce",
         "script-sample": "@font-face {font-family:\"font\";src:url(\"...",
         "source-file": "https://photistic.org/photo/seascapes.html",
         "violated-directive": "style-src https://photistic.org"
     }
 }

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/23629#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tbb-bugs mailing list