Bug 664983 - don't send request headers with CSP violation reports, r=dveditz, a=asa
authorBrandon Sterne <bsterne@mozilla.com>
Thu, 21 Jul 2011 15:18:38 -0700
changeset 72701 e3b5c473098e0177b2569e896771f0d885c0cfd8
parent 72700 8d1b66d7fb5bc5a47e467b3fe195dbb4433b44f9
child 72702 e05bfc2a8b296780828d7778fde625531332e285
push id247
push userbsterne@mozilla.com
push dateThu, 21 Jul 2011 22:18:09 +0000
treeherdermozilla-aurora@e3b5c473098e [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersdveditz, asa
bugs664983
milestone7.0a2
Bug 664983 - don't send request headers with CSP violation reports, r=dveditz, a=asa
content/base/src/contentSecurityPolicy.js
--- a/content/base/src/contentSecurityPolicy.js
+++ b/content/base/src/contentSecurityPolicy.js
@@ -63,17 +63,16 @@ function ContentSecurityPolicy() {
   this._isInitialized = false;
   this._reportOnlyMode = false;
   this._policy = CSPRep.fromString("default-src *");
 
   // default options "wide open" since this policy will be intersected soon
   this._policy._allowInlineScripts = true;
   this._policy._allowEval = true;
 
-  this._requestHeaders = []; 
   this._request = "";
   this._docRequest = null;
   CSPdebug("CSP POLICY INITED TO 'default-src *'");
 }
 
 /*
  * Set up mappings from nsIContentPolicy content types to CSP directives.
  */
@@ -206,23 +205,16 @@ ContentSecurityPolicy.prototype = {
     // We will only be able to provide the HTTP version information if aChannel
     // implements nsIHttpChannelInternal
     if (internalChannel) {
       var reqMaj = {};
       var reqMin = {};
       var reqVersion = internalChannel.getRequestVersion(reqMaj, reqMin);
       this._request += " HTTP/" + reqMaj.value + "." + reqMin.value;
     }
-
-    // grab the request headers
-    var self = this;
-    aChannel.visitRequestHeaders({
-      visitHeader: function(aHeader, aValue) {
-        self._requestHeaders.push(aHeader + ": " + aValue);
-      }});
   },
 
 /* ........ Methods .............. */
 
   /**
    * Given a new policy, intersects the currently enforced policy with the new
    * one and stores the result.  The effect is a "tightening" or refinement of
    * an old policy.  This is called any time a new policy is encountered and
@@ -265,31 +257,23 @@ ContentSecurityPolicy.prototype = {
   function(blockedUri, violatedDirective, aSourceFile, aScriptSample, aLineNum) {
     var uriString = this._policy.getReportURIs();
     var uris = uriString.split(/\s+/);
     if (uris.length > 0) {
       // Generate report to send composed of
       // {
       //   csp-report: {
       //     request: "GET /index.html HTTP/1.1",
-      //     request-headers: "Host: example.com
-      //                       User-Agent: ...
-      //                       ...",
       //     blocked-uri: "...",
       //     violated-directive: "..."
       //   }
       // }
-      var strHeaders = "";
-      for (let i in this._requestHeaders) {
-        strHeaders += this._requestHeaders[i] + "\n";
-      }
       var report = {
         'csp-report': {
           'request': this._request,
-          'request-headers': strHeaders,
           'blocked-uri': (blockedUri instanceof Ci.nsIURI ?
                           blockedUri.asciiSpec : blockedUri),
           'violated-directive': violatedDirective
         }
       }
       // extra report fields for script errors (if available)
       if (aSourceFile)
         report["csp-report"]["source-file"] = aSourceFile;