Closed
Bug 1363298
Opened 7 years ago
Closed 7 years ago
CSP check for Function() constructor seems to no longer work
Categories
(Core :: DOM: Security, defect)
Core
DOM: Security
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | unaffected |
| firefox53 | --- | unaffected |
| firefox55 | --- | unaffected |
People
(Reporter: mark, Unassigned)
References
()
Details
(Keywords: testcase-wanted)
With a recent change (last night) on GitHub, where their framework introduced a "new Function()" call in a CSP-protected document, it caused issues on older versions of Firefox. Those would start throwing errors: "Error: call to Function() blocked by CSP" The latest versions however, do not. This seems to be a regression. Preliminary testing shows the following regression range: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=506facea63169a29e04eb140663da1730052db64&tochange=b3ec8a3373e8faca26c39e9ff577a2d4f8b6927a The offending code in framework.js is t.exports=new Function("return this")() which is protected by CSP that doesn't include "unsafe-eval": script-src assets-cdn.github.com; So according to the spec this should be blocked, but apparently isn't, anymore.
Here is even shorter regression range from mozilla-inbound: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=b3276dc9d5b1282e5c80b3fffff616da92d6bfae&tochange=41d8277af19246308bdf51bf0cd60da3498681b1
|
||
Comment 2•7 years ago
|
||
I can't reproduce in Firefox release (53), nor in Firefox Nightly (version 55, from May 7th).
My STR:
1) go to github.com
2) open developer tools (ctrl+shift+k)
3) f=new Function("lol")
4) Error : call to Function() blocked by CSP|
|
||
Comment 3•7 years ago
|
||
It also looks like we have tests for this, so this can't easily regress. Maybe we're missing something. Can you share some additional steps to repeat on your end, JustOff or Mark Straver? Maybe this is due to a non-standard setting or an extension?
Keywords: testcase-wanted
|
|
||
Updated•7 years ago
|
Status: NEW → UNCONFIRMED
Ever confirmed: false
STR: 1) Start Firefox 45.9 ESR (or any Firefox earlier than regression ranges listed above) 2) Open https://github.com 3) `Error: call to Function() blocked by CSP` is in console (and GitHub is partially inoperable) It should be so because site CSP doesn't include "unsafe-eval" as pointed by Mark in OP, but it isn't with recent Firefox versions.
|
Reporter | |
Comment 5•7 years ago
|
||
I only have 52ESR handy at the moment, but the same thing happens there, i.e. it doesn't block the load while it should.
My STR in a new profile to avoid interference of prefs or extensions:
1) go to github.com
2) log in (might not be needed)
3) open any PR or issue page
Everything works while it should not, because:
- frameworks.js uses new Function() [1]
- CSP sets script-src to script-src assets-cdn.github.com;[2]
Using an older version of Firefox (see regression range) it throws:
14:17:54.767 Error: call to Function() blocked by CSP1 frameworks-05db7e79d74bfabc198f81407fd7cf00e300fc6b6ade60ac2fbcd77e585ec73a.js:1:6948
[1] relevant part of minified frameworks.js script on github at 1:6948:
5:[function(e,t,n){"use strict";t.exports=new Function("return this")()},{}]
[2] full CSP header:
"default-src 'none'; base-uri 'self'; child-src render.githubusercontent.com; connect-src 'self' uploads.github.com status.github.com collector.githubapp.com api.github.com www.google-analytics.com github-cloud.s3.amazonaws.com wss://live.github.com github-production-repository-file-5c1aeb.s3.amazonaws.com; font-src assets-cdn.github.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; img-src 'self' data: assets-cdn.github.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com *.githubusercontent.com github-production-repository-file-5c1aeb.s3.amazonaws.com; media-src 'none'; script-src assets-cdn.github.com; style-src 'unsafe-inline' assets-cdn.github.com"
I hope this helps.|
|
||
Comment 6•7 years ago
|
||
Oh, I misread the date in the regression range to be in 2017, but it is in 2016. I have tested Firefox ESR (which is 52.x now) and Firefox Beta and Firefox Release and neither of them are affected. I think we're talking about unsupported versions, here?
status-firefox53:
--- → unaffected
status-firefox55:
--- → unaffected
status-firefox-esr52:
--- → unaffected
|
|
||
Comment 7•7 years ago
|
||
New profile, Firefox EST (52.1.1) signed into GitHub, I do not get the scripts containing the Function constructor (using DevTools search). Trying to violate the CSP on purpose (see comment 2), does not work for me either.
|
||
Comment 8•7 years ago
|
||
I do get the code, and it seems to be some kind of shim for ES6 symbols. After implementing bug 1114580, which is included in this regression range, we presumably don't execute the code containing new Function anymore. I think this bug is Invalid, unless there is proof that the new Function call is actually executed.
|
|
Reporter | |
Comment 9•7 years ago
|
||
> I think we're talking about unsupported versions, here? The unsupported versions seem to do it correctly. The supported versions do not. The issue is that something works (GitHub being operable) while it should not :P so, the ones marked unaffected are affected. > After implementing bug 1114580, which is included in this regression range, we presumably don't execute the code containing new Function anymore. If someone can confirm that, then it's clearly a problem with the shim that GitHub uses (and not a Firefox issue). Since it's all minified code, it's hard to tell what gets executed and what doesn't.
|
|
||
Comment 10•7 years ago
|
||
I've talked with my contacts at GitHub. This is a bug on their end and they are working on a fix that "should go out today" (whichever timezone that is). Thank you for reporting the problem!
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•