Open
Bug 1052887
Opened 10 years ago
Updated 2 years ago
Websocket redirects don't honor CSP
Categories
(Core :: DOM: Security, defect, P3)
Core
DOM: Security
Tracking
()
NEW
People
(Reporter: tanvi, Unassigned)
References
(Blocks 2 open bugs)
Details
(Whiteboard: [domsecurity-backlog3])
If a page has a CSP policy, the CSP policy is set on subresource channels via channelPolicy. If the subresource goes through a redirect, channelPolicy is used to determine if the new destination is allowed per the main page's CSP. Websockets do not set channelPolicy. And hence, websocket redirects go through without checking with CSP. Luckily, this isn't a huge security hole because websocket redirects are turned off by default: network.websocket.auto-follow-http-redirect = false So the issue exists issue if the user or an addon sets this pref to true. A grep through the addons mxr doesn't show any addons setting this to true: https://mxr.mozilla.org/addons/search?string=auto-follow-http-redirects However, even if the pref is set to false, our code allows websocket redirects if we are upgrading from ws://unique_uri to wss://unique_uri http://mxr.mozilla.org/mozilla-central/source/netwerk/protocol/websocket/WebSocketChannel.cpp#2478 Suppose a page has a CSP policy that allows only ws://unique_uri. Https-Everywhere or HSTS might auto-upgrade ws://unique_uri to wss://unique_uri. The browser will allow the wss://unique_uri load even though it doesn't honor the pages CSP. This bug is to ensure that the CSP policy is honored even after websocket redirects. This means that we first have to add the necessary info to websocket channels to perform a csp check, which we have to do this anyway in bug 1037669. As a separate bug (which I will file shortly), we can remove the code and the pref to support websocket redirects.
|
Reporter | |
Comment 1•10 years ago
|
||
> As a separate bug (which I will file shortly), we can remove the code and > the pref to support websocket redirects. Filed https://bugzilla.mozilla.org/show_bug.cgi?id=1052909
Blocks: 1006868
|
||
Comment 2•9 years ago
|
||
I think bug https://bugzilla.mozilla.org/show_bug.cgi?id=1041180 fixed that, we should verify in our next triage.
|
|
||
Updated•9 years ago
|
Assignee: nobody → mozilla
Component: Security → DOM: Security
|
|
||
Updated•9 years ago
|
Priority: -- → P3
|
|
||
Updated•8 years ago
|
Status: NEW → ASSIGNED
|
|
||
Comment 3•8 years ago
|
||
I don't have time to fix that right now - let's put it in the backlog.
Assignee: mozilla → nobody
Status: ASSIGNED → NEW
Whiteboard: [domsecurity-backlog]
|
|
||
Updated•8 years ago
|
Whiteboard: [domsecurity-backlog] → [domsecurity-backlog3]
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•