Closed Bug 1125565 Opened 10 years ago Closed 10 years ago

Extra CSP violation reports when using nonce-source

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Version:
35 Branch
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1026520

People

(Reporter: danesh, Unassigned)

References

Details

Attachments

(2 files)

HTML including simple javascript to test CSP nonc'ing.
244 bytes, text/html
Details
Screenshot from dev-tools.
276.41 KB, image/png
Details
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 Steps to reproduce: 1) Serve attached html page with a CSP header of "Content-Security-Policy: script-src 'nonce-AaBbCcDdEeAaBbCcDdEe890abcdef';report-uri /tmp" 2) Observe network requests and html output. Actual results: 1) Three CSP violation reports are generated and sent to the report-uri, although there should only be one CSP violation report. 2) Even though the script is properly nonced it still reports violations (although it executes the document.write). Expected results: 1) Only one CSP violation report for the one script tag that has an incorrect nonce. 2) No CSP violation report for the properly nonced script. There seems to a bug that sends a violation report too early, prior to checking if the script is properly nonced. This is why a plain script tag (with no nonce attribute) will only generate one CSP violation*, whereas a script tag with an invalid nonce will generate two CSP violations, and a script with a valid nonce only generates one CSP violation (for the initial "try" without the nonce). [*] - Expected behavior for a single script tag and not included in below HTML.
Blocks: 1004703
Component: Untriaged → DOM: Security
Product: Firefox → Core
Hey Sid, Dan, would you mind triaging this to the right folks?
The bug seems to be here (http://mxr.mozilla.org/mozilla-central/source/dom/base/nsScriptLoader.cpp#462). Namely, reportInlineViolation is checked and violations.AppendElement is called before checking for nonce or hash. When a nonce/hash are checked, violations.AppendElement is called again. P.S. It seems like you might be able to get a single script block to throw three violations by specifying both a nonce and hash in the CSP header and specifying a bad nonce and bad hash for the script element.
Christoph: is this yours?
Flags: needinfo?(mozilla)
Danesh, thanks for filing. We just triaged CSP bugs and Francois is going to fix the issue in Bug 1026520. Marking this bug as a duplicate and CC you on the other bug.
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Flags: needinfo?(mozilla)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: