Copied from upstream: https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/a5c4c18849b4 # HG changeset patch # User Christoph Kerschbaumer # Date 1456157874 28800 # Node ID a5c4c18849b486ef8693e20421b69239a2cbe574 # Parent e93aeb25e2a44df8d22f5a065b4410620e2c8730 Bug 1243178: CSP - Skip sending reports for non http schemes (r=dveditz) a=ritu diff --git a/dom/security/nsCSPContext.cpp b/dom/security/nsCSPContext.cpp --- a/dom/security/nsCSPContext.cpp +++ b/dom/security/nsCSPContext.cpp @@ -798,16 +798,17 @@ nsCSPContext::SendReports(nsISupports* a (NS_SUCCEEDED(reportURI->SchemeIs("https", &isHttpScheme)) && isHttpScheme); if (!isHttpScheme) { const char16_t* params[] = { reportURIs[r].get() }; CSP_LogLocalizedStr(NS_LITERAL_STRING("reportURInotHttpsOrHttp2").get(), params, ArrayLength(params), aSourceFile, aScriptSample, aLineNum, 0, nsIScriptError::errorFlag, "CSP", mInnerWindowID); + continue; } // make sure this is an anonymous request (no cookies) so in case the // policy URI is injected, it can't be abused for CSRF. nsLoadFlags flags; rv = reportChannel->GetLoadFlags(&flags); NS_ENSURE_SUCCESS(rv, rv); flags |= nsIRequest::LOAD_ANONYMOUS;