CSP violation reports for web workers displays incorrect effective-directive value (worker-uri) when worker-src is not in the original policy

Issue #14150689 • Assigned to Steven K.

Details

Author
neil m.
Created
Oct 9, 2017
Privacy
This issue is public.
Found in
  • Microsoft Edge
Reports
Reported by 1 person

Sign in to watch or report this issue.

Steps to reproduce

In https://github.com/twitter/secureheaders/issues/358, we stumbled upon this behavior where the violation report contains `worker-uri` as a reference to a directive rather than `worker-src`.

In this case, worker-src was not supplied but was the effective-directive. I have not tested to see if this is the case when worker-src is supplied or if the incorrect reference exists in other places.

I’m just going to assume that edge respects the value of the worker-src directive and does not require one to use worker-uri to match the error. I haven’t tested this either.

I filed this under developer tools because this isn’t a security issue and the only time I look at reports is in developer tools :)

{
    "csp-report": {
        "document-uri": "https://www.talegraph.com/tales/xxx",
        "blocked-uri": "blob",
        "violated-directive": "default-src 'self'",
        "original-policy": "default-src 'self'; connect-src 'self' wss://www.talegraph.com sentry.io api.segment.io api.mixpanel.com wss://*.crisp.chat storage.googleapis.com; font-src 'self' data: fonts.gstatic.com client.crisp.chat; frame-src 'self' blob:; img-src 'self' www.google-analytics.com client.crisp.chat image.crisp.chat data: blob: pi.prod.talegraph.net; media-src 'self' client.crisp.chat; object-src 'none'; script-src 'self' www.google-analytics.com cdn.segment.com cdn.mxpnl.com client.crisp.chat; style-src 'self' 'unsafe-inline' fonts.googleapis.com client.crisp.chat; report-uri https://talegraph.report-uri.io/r/default/csp/enforce",
        "effective-directive": "worker-uri",  <-- confusion
        "status-code": 200
    }
}

Attachments

0 attachments

    Comments and activity

    • Microsoft Edge Team

      Changed Assigned To to “Steven K.”

    You need to sign in to your Microsoft account to add a comment.

    Sign in