Closed
Bug 1056882
Opened 10 years ago
Closed 10 years ago
HTML import polyfill bypasses natural CSP restrictions
Categories
(Firefox OS Graveyard :: Gaia::Components, defect)
Tracking
(firefox-esr31 unaffected, b2g-v2.1 fixed)
RESOLVED
FIXED
2.1 S3 (29aug)
Tracking | Status | |
---|---|---|
firefox-esr31 | --- | unaffected |
b2g-v2.1 | --- | fixed |
People
(Reporter: freddy, Assigned: freddy)
References
Details
(Keywords: sec-low, wsec-injection)
Attachments
(1 file, 2 obsolete files)
As specified in the imports spec, HTML imports are subject to script-src CSP restrictions. For gaia apps, this means disallowing data: URIs for example. The html polyfill does *not* check and allows everything that it can get via XHR (i.e., same-origin or CORS enabled - both fine). But the HTML import polyfill can *not* bypass the "inline script" restriction which is given through the CSP that is in place AFAIU.
Assignee | ||
Comment 1•10 years ago
|
||
Kevin are you a good owner for this (I guessed with git blame)? I wonder if there's a good way to check for bad origins using window.URL.
Flags: needinfo?(kgrandon)
Assignee | ||
Comment 2•10 years ago
|
||
P.S: This means that once we move to the platform version, things *might* break. I think it's rather unlikely though. CCing Gabor, who works on the imports implementation on the platform side. He might be interested in this.
Comment 3•10 years ago
|
||
I'm not too familiar with the inner workings of CSP. Does it not work when we set innerHTML?
Flags: needinfo?(kgrandon)
Assignee | ||
Comment 4•10 years ago
|
||
When the polyfill sets innerHTML the scripts that may come with it are subject to CSP and that's fine. The problem is a bit more theoretical: imports (as specified) should look at the script-src directive and disallow importing documents that are not whitelisted as "script-src" (Gaia allows only 'self', i.e. the current origin). The polyfill however does not look at the policy. Instead it imports from everywhere it can get because it uses XMLHttpRequest (XHR). This would allow importing dynamic content via data URIs. Thinking about this further, it's probably only sec-low ;)
Keywords: sec-moderate → sec-low
Assignee | ||
Comment 5•10 years ago
|
||
So what we can not fix is that the polyfill can not look at the CSP. If the CSP is very specific about script-src, it would provide a CSP bypass. Fortunately the policy is the same for all privileged and certified apps (which means we disallow reading scripts from the web). What I suggest is a small patch for html_imports.js to disallow linking to other schemes.
Assignee | ||
Updated•10 years ago
|
Assignee: nobody → fbraun
Assignee | ||
Comment 6•10 years ago
|
||
Can you review this patch or find someone else to look at it, Kevin?
Attachment #8478897 -
Flags: review?(kgrandon)
Assignee | ||
Comment 7•10 years ago
|
||
Note to self: This won't need sec-approval because it's sec-low. Putting it on Github.
Assignee | ||
Comment 8•10 years ago
|
||
The same patch, as a github pull request.
Attachment #8478897 -
Attachment is obsolete: true
Attachment #8478897 -
Flags: review?(kgrandon)
Attachment #8478898 -
Flags: review?(kgrandon)
Assignee | ||
Comment 9•10 years ago
|
||
If this is generally approved, I'll spin up a next iteration: "document.baseURI" could be DOM-clobbered[1]. It's better to use location.href :) [1] http://www.thespanner.co.uk/2013/05/16/dom-clobbering/
Comment 10•10 years ago
|
||
Comment on attachment 8478898 [details] [review] only same-origin imports, as github PR Seems fine to me, might be worth adding a comment above the code though. Thanks!
Attachment #8478898 -
Flags: review?(kgrandon) → review+
Assignee | ||
Comment 11•10 years ago
|
||
Updated the patch with a comment "bail out if the imported resource isn't in the same origin". Now using location.href instead of document.baseURI.
Keywords: checkin-needed
Comment 12•10 years ago
|
||
Master: https://github.com/mozilla-b2g/gaia/commit/503d3c4e4c779f31ccb768a8ccc2b505aff72e83
Status: NEW → RESOLVED
Closed: 10 years ago
status-b2g-v2.1:
--- → fixed
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → 2.1 S3 (29aug)
I had to revert this for linter test failures: https://github.com/mozilla-b2g/gaia/commit/6e804a42ab90f4251c7fe8c68731dc1c6abd8006 https://tbpl.mozilla.org/php/getParsedLog.php?id=46799653&tree=B2g-Inbound
Status: RESOLVED → REOPENED
Flags: needinfo?(fbraun)
Resolution: FIXED → ---
Assignee | ||
Comment 14•10 years ago
|
||
linter was green on a local "make lint".
Attachment #8478898 -
Attachment is obsolete: true
Flags: needinfo?(fbraun)
Assignee | ||
Updated•10 years ago
|
Keywords: checkin-needed
Comment 15•10 years ago
|
||
What about CORS?
Assignee | ||
Comment 16•10 years ago
|
||
Good catch, but we strictly don't allow CORS in FxOS privileged and certified apps: The Content Security Policy disallows script loads from anything but "self".
Comment 17•10 years ago
|
||
Master: https://github.com/mozilla-b2g/gaia/commit/d281d90c3679d513627e17c0f4dcf9e895c9b47d
Status: REOPENED → RESOLVED
Closed: 10 years ago → 10 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Updated•10 years ago
|
Group: b2g-core-security → core-security
Updated•10 years ago
|
status-firefox-esr31:
--- → unaffected
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•