Closed Bug 1056882 Opened 10 years ago Closed 10 years ago

HTML import polyfill bypasses natural CSP restrictions

Categories

(Firefox OS Graveyard :: Gaia::Components, defect)

Product:
Firefox OS Graveyard
Component:
Gaia::Components
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(firefox-esr31 unaffected, b2g-v2.1 fixed)

Status:
RESOLVED FIXED
Milestone:
2.1 S3 (29aug)
Tracking Flags:
Tracking Status
firefox-esr31 --- unaffected
b2g-v2.1 --- fixed

People

(Reporter: freddy, Assigned: freddy)

References

Details

(Keywords: sec-low, wsec-injection)

Attachments

(1 file, 2 obsolete files)

only same-origin imports, as github PR (addressing linter errors)
46 bytes, text/x-github-pull-request
Details | Review 
As specified in the imports spec, HTML imports are subject to script-src CSP restrictions. For gaia apps, this means disallowing data: URIs for example.

The html polyfill does *not* check and allows everything that it can get via XHR (i.e., same-origin or CORS enabled - both fine).

But the HTML import polyfill can *not* bypass the "inline script" restriction which is given through the CSP that is in place AFAIU.
Kevin are you a good owner for this (I guessed with git blame)?
I wonder if there's a good way to check for bad origins using window.URL.
Flags: needinfo?(kgrandon)
P.S: This means that once we move to the platform version, things *might* break. I think it's rather unlikely though.

CCing Gabor, who works on the imports implementation on the platform side. He might be interested in this.
I'm not too familiar with the inner workings of CSP. Does it not work when we set innerHTML?
Flags: needinfo?(kgrandon)
When the polyfill sets innerHTML the scripts that may come with it are subject to CSP and that's fine.

The problem is a bit more theoretical: imports (as specified) should look at the script-src directive and disallow importing documents that are not whitelisted as "script-src" (Gaia allows only 'self', i.e. the current origin).

The polyfill however does not look at the policy. Instead it imports from everywhere it can get because it uses XMLHttpRequest (XHR). This would allow importing dynamic content via data URIs.


Thinking about this further, it's probably only sec-low ;)
Keywords: sec-moderatesec-low
Blocks: 1057985
So what we can not fix is that the polyfill can not look at the CSP. If the CSP is very specific about script-src, it would provide a CSP bypass.

Fortunately the policy is the same for all privileged and certified apps (which means we disallow reading scripts from the web).

What I suggest is a small patch for html_imports.js to disallow linking to other schemes.
Assignee: nobody → fbraun
Attached patch only same-origin imports (obsolete) — Splinter Review 
Can you review this patch or find someone else to look at it, Kevin?
Attachment #8478897 - Flags: review?(kgrandon)
Note to self: This won't need sec-approval because it's sec-low. Putting it on Github.
Attached file only same-origin imports, as github PR (obsolete) — 
The same patch, as a github pull request.
Attachment #8478897 - Attachment is obsolete: true
Attachment #8478897 - Flags: review?(kgrandon)
Attachment #8478898 - Flags: review?(kgrandon)
If this is generally approved, I'll spin up a next iteration: "document.baseURI" could be DOM-clobbered[1]. It's better to use location.href :)

[1] http://www.thespanner.co.uk/2013/05/16/dom-clobbering/
Comment on attachment 8478898 [details] [review]
only same-origin imports, as github PR

Seems fine to me, might be worth adding a comment above the code though. Thanks!
Attachment #8478898 - Flags: review?(kgrandon) → review+
Updated the patch with a comment "bail out if the imported resource isn't in the same origin".
Now using location.href instead of document.baseURI.
Keywords: checkin-needed
Master: https://github.com/mozilla-b2g/gaia/commit/503d3c4e4c779f31ccb768a8ccc2b505aff72e83
Status: NEW → RESOLVED
Closed: 10 years ago
status-b2g-v2.1: --- → fixed
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → 2.1 S3 (29aug)
linter was green on a local "make lint".
Attachment #8478898 - Attachment is obsolete: true
Flags: needinfo?(fbraun)
Keywords: checkin-needed
What about CORS?
Good catch, but we strictly don't allow CORS in FxOS privileged and certified apps: The Content Security Policy disallows script loads from anything but "self".
Master: https://github.com/mozilla-b2g/gaia/commit/d281d90c3679d513627e17c0f4dcf9e895c9b47d
Status: REOPENED → RESOLVED
Closed: 10 years ago10 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Group: b2g-core-security → core-security
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: