Closed Bug 1111339 Opened 5 years ago Closed 5 years ago

[e10s] CSP 'frame-src https:' stops user from navigating to http pages that redirect to a different http location

Categories

(Core :: DOM: Security, defect)

x86_64
Linux
defect
Not set

Tracking

()

RESOLVED DUPLICATE of bug 1112782

People

(Reporter: sjakthol, Unassigned)

Details

Steps to reproduce:
0. Use Nightly and have e10s enabled
1. Go to https://twitter.com
2. Type "http://google.fi" to the URL bar and press enter

What happens:
Google homepage is not loaded and CSP violation is logged to the webconsole.

What should happen:
Google homepage is loaded as that's what the user requested.

I've determined that following conditions are necessary to trigger this bug:
- e10s must be enabled - this does not happen in non-e10s windows.
- the original page (twitter.com in STR) must have "frame-src https:" in the CSP header
- the target page (http://google.fi in STR) must redirect with 301 or 302 to a http Location; the redirect target is the blocked URL.

So for STR the requests and responses are:
- GET https://twitter.com => 200 OK; content-security-policy: <see few lines below>
- GET http://google.fi => 301 Moved Permanently; Location: http://www.google.fi
- GET http://www.google.fi => Blocked by twitter.com CSP.

Here's the full CSP header of twitter.com:
> content-security-policy: default-src 'self'; connect-src 'self'; font-src 'self' https://*.twimg.com https://ton.twitter.com https://twitter.com data:; frame-src 'self'; frame-ancestors 'self'; img-src 'self' https://*.twimg.com https://ton.twitter.com https://twitter.com data:; media-src 'self' https://*.twimg.com https://ton.twitter.com https://twitter.com; object-src 'none'; script-src 'self' https://*.twimg.com https://ton.twitter.com https://twitter.com; style-src 'self' https://*.twimg.com https://ton.twitter.com https://twitter.com; report-uri https://twitter.com/i/csp_report?a=<random-looking-string>&ro=false;

Here's the body of CSP report sent to twitter.com:
> {
>   "csp-report": {
>     "blocked-uri":"http://www.google.fi",
>     "document-uri":"https://twitter.com/",
>     "original-policy":"default-src https:; connect-src https:; font-src https: data:; frame-src https: twitter:; frame-ancestors https:; img-src https: data:; media-src https:; object-src https:; script-src 'unsafe-inline' 'unsafe-eval' https:; style-src 'unsafe-inline' https:; report-uri https://twitter.com/i/csp_report?a=<random-looking-string>&ro=false",
>     "referrer":"",
>     "violated-directive":"frame-src https: twitter:"
>   }
> }


Here's a CSP header for minimal test case:
> content-security-policy: frame-src https:; report-uri http://localhost/csp

Here's the body of CSP report for the above minimal test case:
> {
>   "csp-report": {
>     "blocked-uri":"http://www.google.fi",
>     "document-uri":"http://localhost/",
>     "original-policy":"frame-src https:; report-uri http://localhost/csp",
>     "referrer":"",
>     "violated-directive":"frame-src https:"
>   }
> }
Summary: [e10s] CSP stops user from navigating from https to http pages → [e10s] CSP 'frame-src https:' stops user from navigating to http pages that redirect to a different http location
Flags: needinfo?(mrbkap)
Status: NEW → RESOLVED
Closed: 5 years ago
Flags: needinfo?(mrbkap)
Resolution: --- → DUPLICATE
Duplicate of bug: 1112782
You need to log in before you can comment on or make changes to this bug.