Closed Bug 1015032 Opened 11 years ago Closed 7 years ago

CSP header is completely ignored by iframe mozbrowser

Categories

(Firefox OS Graveyard :: General, defect)

Product:
Firefox OS Graveyard
Component:
General
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: sdna.muneaki.nishimura, Unassigned)

Details

(Keywords: reporter-external, sec-moderate, Whiteboard: [reporter-external])

User Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/537.36 Steps to reproduce: 1. Create a privileged app with <iframe mozbrowser> and open a web page which sets Content-Security-Policy header to ignore all cross-domain access like below: Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline';" 2. The page opened above accesses cross-domain resources such as; <img src="https://www.google.co.jp/images/srpr/logo11w.png"> var connection = new WebSocket('ws://cross-origin/'); Actual results: In case of inari (ZTE Open) with Boot2Gecko 1.4.0.0-prerelease, built by me, all cross-origin resources can be accessed regardless of Content-Security-Policy header. Expected results: All cross-domain access prohibited by CSP must be canceled.
Hi Muneaki, Thanks for the report. My understanding of the issue is that you have an app with the browser permission. Within this app, you open a webpage e.g. www.mozilla.org in an <iframe mozbrowser>. The webpage (www.mozilla.org) sets a CSP with default-src 'self', however cross-origin requests/resources are still allowed. This would appear to be a bug if true. There was recently some changes to the CSP handling for B2G and I wonder if that is related. I'm going to add some people who have more knowledge of this codebase.
That's definitely a bug. sdna.muneaki.nishimura, is there any way you could publish a test case for me to use in debugging? If not, I can create one myself.
Flags: needinfo?(sdna.muneaki.nishimura)
Assignee: nobody → grobinson
Sorry, unfortunately my test environment is in my private server and it cannot be made public.
Flags: needinfo?(sdna.muneaki.nishimura)
Flags: sec-bounty?
Whiteboard: [reporter-external]
I'm trying to reproduce. So far, I have: <html> ... <iframe src="/mozbrowser" mozbrowser></iframe> </html> Where /mozbrowser is served with: Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline';" and has contents like: <html> ... <img src="https://www.google.co.jp/images/srpr/logo11w.png"> </html> When I load the first page in the browser, CSP works correctly and blocks the cross-domain resource load. Currently the first page is just an ordinary web page, not an app - I will next try making it a privileged app, to see if that makes a difference. sdna, are you sure you sent the CSP with the src of the iframe, and not with its parent document?
I also tried to reproduce the bug on my server and found that: It cannot be reproduced on Firefox OS 1.4 sim. but not on Firefox OS 2.0 sim. It seems that the issue may be fixed on Firefox OS 2.0. If you also find same behavior, please ignore this ticket as FP or dupe.
We still do care about fixing 1.4 if Garrett can reproduce the problem there since that version has not yet shipped. And if it's a problem in 1.4 it may be a problem in 1.3 which is the current device version.
Flags: needinfo?(grobinson)
Keywords: sec-moderate
I have reproduced the build locally (using the App Manager and the Firefox OS simulators 1.3, 1.4, and 2.0 from https://ftp.mozilla.org/pub/mozilla.org/labs/fxos-simulator/). I can confirm that the issue is present on 1.3 and 1.4, but not on 2.0.
Flags: needinfo?(grobinson)
Ths cause of this issue is that we did not support the spec-compliant parser on B2G until *very* recently - see Bug 858787 for the full history. So the policy you are sending with the <iframe mozbrowser> is not being applied at all, and wouldn't be in any context - the fact that it is an iframe mozbrowser is irrelevant. I have confirmed that sending "X-Content-Security-Policy" instead (with a slightly modified policy to match the non-spec-compliant syntax) causes the cross-domain resources to be blocked correctly on B2G 1.3 and 1.4. The question now is - why isn't this issue present on B2G 2.0? The patch for 858787, which theoretically should fix this issue, only landed yesterday, in Gecko 33, and B2G 2.0 is based on Gecko 32 [0]. I want to figure out what caused things to change in B2G 2.0 before resolving this issue - I don't think it was the patch for 858787. [0] https://wiki.mozilla.org/Release_Management/B2G_Landing
This appears to be known lack-of-support for this feature until recently in FxOS.
Flags: sec-bounty? → sec-bounty-
Group: core-security → b2g-core-security
FirefoxOS is no longer under active development.
Assignee: garrett.f.robinson+mozilla → nobody
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → INCOMPLETE
Group: b2g-core-security
You need to log in before you can comment on or make changes to this bug.