CSP: firefox reports are not triggering events

[shekyan]

Firefox 42 generates CSP violation reports that are visible in the diagram on the dashboard, but no events are generated.

[mattrobenolt]

Do you have a page that reproduces? I'm curious what the payload was that was sent. It's likely that it got filtered out as garbage, but can't say for sure without knowing the payload. :)

[shekyan]

Hard to tell, because Firefox doesn't capture the POST body when you do copy as cURL.
However, it is reproducible with FF 43.0.1 on OSX now on my web app at cspvalidator.org .
Response for the report is 403: Invalid CSP Report: Invalid value for 'effective-directive' .
Here is the POST message I got through Copy POST Data:

{"csp-report":{"blocked-uri":"self","document-uri":"https://cspvalidator.org/","original-policy":"default-src 'none'; script-src https://cspvalidator.org https://www.google-analytics.com https://code.jquery.com https://maxcdn.bootstrapcdn.com; img-src https://cspvalidator.org https://www.google-analytics.com; font-src https://cspvalidator.org https://fonts.gstatic.com https://bootswatch.com; connect-src https://cspvalidator.org; style-src https://cspvalidator.org https://bootswatch.com https://fonts.googleapis.com; frame-ancestors 'none'; form-action https://cspvalidator.org; report-uri https://app.getsentry.com/api/61840/csp-report/?sentry_version=5&sentry_key=fa6dfb4b9f18472ea63004645f521c17","referrer":"","source-file":"https://cspvalidator.org/","violated-directive":"style-src https://cspvalidator.org https://bootswatch.com https://fonts.googleapis.com"}}

[mattrobenolt]

Ah, yes, because the report is missing the effective-directive entirely. See: http://www.w3.org/TR/CSP/#violation-report-effective-directive

Without this value on our side, it makes it much much harder to group effectively, so we discard reports that don't include it since the spec suggests that it should exist.

[mattrobenolt]

We ultimately end up grouping on this: https://github.com/getsentry/sentry/blob/master/src/sentry/interfaces/csp.py#L141

So we attempt to group on something like: ('script-src', 'example.com') and without the effective-directive, we don't really know what the violation was.

I guess in your case though, violated-directive is being sent, so in theory, we could try and parse that to extract the effective-directive out of it, but I'm not sure that's worth the effort.

Unless I've misunderstood, it seems that effective-directive should be sent, and some older browsers do not do that.

Do you know if this is correct in FF 43? (I can check if you don't know off hand).

[shekyan]

Apparently there is issue reported on this: https://bugzilla.mozilla.org/show_bug.cgi?id=1192684 .

[mattrobenolt]

Ah. Yeah, this comment sums up my findings as well: https://bugzilla.mozilla.org/show_bug.cgi?id=1192684#c4

@shekyan is there anything else to add to this? Or can we close? I'm going to err on the side that this is Mozilla's job to implement this into Firefox and there's not much we can do here otherwise.

[shekyan]

Let's just pray and hope.

[mattrobenolt]

🙏