Closed Bug 1437009 Opened 6 years ago Closed 5 years ago

CSP is not propagated to the TriggeringPrincipal for right-click new tab,ctrl-click new tab, drag & drop new tab cases

Categories

(Core :: DOM: Security, defect, P3)

Product:
Core
Component:
DOM: Security
Version:
60 Branch
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1515863

People

(Reporter: vinoth, Unassigned)

References

Details

(Whiteboard: [domsecurity-backlog1]) 

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:60.0) Gecko/20100101 Firefox/60.0
Build ID: 20180206100151

Steps to reproduce:

1. click the link https://www.halesworth.net/links/list_two.php?code=3 
2. Find the link in the list with the name "Walpole Chapel". 
3. Normal click on the link from [2] will throw "Your connection is not secure" and the page will not be loaded. Because of the "upgrade-insecure-reqeusts" CSP from [1]
4. Opening the link using Right-Click new tab or ctrl-click new tab or drag-and-drop new tab will load the page without any "Your connection is not secure" error.


Actual results:

Summary of actual result: 
* right-click secure link to force top-level navigation
* the initial load is secure link
* the requests hits a 30x redirect to navigate to insecure cross-origin page

This is because the CSP is not propagated to the TriggeringPrincipal for these scenarios.
CSP object is null in the below line of code,
https://dxr.mozilla.org/mozilla-central/source/docshell/base/nsDocShell.cpp#10753


Expected results:

Expected Result:

Link should be blocked from loading for all these scenarios because of the "upgrade-insecure-reqeusts" CSP.

CSP should be propagated to the Principal for all these scenarios.
Blocks: 1422284
Component: Untriaged → DOM: Security
Product: Firefox → Core
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]
Restrict Comments: true

The original testcase here doesn't work anymore because the links have been changed in markup. However, I believe this bug was fixed in 66 and later by bug 1515863. Vinoth / Christoph, can you confirm?

Flags: needinfo?(ckerschb)
Flags: needinfo?(cegvinoth)

(the dupes that use inline JS still open tabs but the JS doesn't run, which seems reasonable behavior)

(In reply to :Gijs (he/him) from comment #4)

The original testcase here doesn't work anymore because the links have been changed in markup. However, I believe this bug was fixed in 66 and later by bug 1515863. Vinoth / Christoph, can you confirm?

Yes, I can confirm that Bug 1515863 fixed that problem. Marking this bug as a duplicate of 1515863.

Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Flags: needinfo?(ckerschb)
Flags: needinfo?(cegvinoth)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.