Closed
Bug 1180637
Opened 10 years ago
Closed 10 years ago
Packaged Apps do not apply CSP
Categories
(Core :: Networking, defect)
Core
Networking
Tracking
()
RESOLVED
FIXED
mozilla42
| Tracking | Status | |
|---|---|---|
| firefox42 | --- | fixed |
People
(Reporter: freddy, Assigned: valentin)
References
Details
(Keywords: sec-moderate, Whiteboard: [adv-main42-])
Attachments
(2 files)
|
691 bytes,
application/x-php
|
Details | |
|
5.29 KB,
patch
|
mayhemer
:
review+
|
Details | Diff | Splinter Review |
My test sends a strict Content-Security-Policy header that only allows scripts from the same origin, but no inline scripts.
In my testing an index.html within the package may do all those things the CSP disallows.
Valentin, is this a good bug for you or should we defer this to someone else?
|
Reporter | |
Comment 1•10 years ago
|
||
Attaching the package I used for testing
|
|
Reporter | |
Comment 2•10 years ago
|
||
(In reply to Frederik Braun [:freddyb] from comment #0)
> Valentin, is this a good bug for you or should we defer this to someone else?
Heh, sorry. I forgot to CC you.
Can you take a look?
Flags: needinfo?(valentin.gosu)
|
Assignee | |
Comment 3•10 years ago
|
||
I already have a patch incoming. Thanks for filing the bug.
Flags: needinfo?(valentin.gosu)
|
|
Assignee | |
Comment 4•10 years ago
|
||
Attachment #8630339 -
Flags: review?(honzab.moz)
|
||
Comment 5•10 years ago
|
||
Comment on attachment 8630339 [details] [diff] [review]
Packaged Apps do not apply CSP
Review of attachment 8630339 [details] [diff] [review]:
-----------------------------------------------------------------
::: netwerk/protocol/http/PackagedAppService.cpp
@@ +74,5 @@
> + }
> +
> + nsAutoCString value;
> + httpChan->GetResponseHeader(NS_LITERAL_CSTRING("Content-Security-Policy"), value);
> + aHead->SetHeader(nsHttp::ResolveAtom("Content-Security-Policy"), value);
since you copy just the CSP header, should this be called CopyCSPHeader?
::: netwerk/protocol/http/PackagedAppService.h
@@ +88,5 @@
> // so packaged resources can be accessed over https.
> nsresult CopySecurityInfo(nsIChannel *aChannel);
>
> + // Copy headers that apply to all resources in the package
> + static nsresult CopyHeaders(nsIChannel *aChannel, nsHttpResponseHead *aHead);
express in the comment the copy direction or even better name the method better like CopyHeadersFromChannel or so..
Attachment #8630339 -
Flags: review?(honzab.moz) → review+
|
|
Reporter | |
Comment 6•10 years ago
|
||
Considering that this patch "just" copies the header… are there any way we we could do it so that packages loop into the "normal" content loading flow?
I'm asking because I suppose that we may have bugs similar to this one but for X-Frame-Options, Strict-Transport-Security, etc.
|
|
Assignee | |
Comment 7•10 years ago
|
||
(In reply to Frederik Braun [:freddyb] from comment #6)
> Considering that this patch "just" copies the header… are there any way we
> we could do it so that packages loop into the "normal" content loading flow?
>
> I'm asking because I suppose that we may have bugs similar to this one but
> for X-Frame-Options, Strict-Transport-Security, etc.
I suppose we need to copy all of the applicable headers from the package channel to the cache entries.
I don't think there is a way to do this more easily.
Could you file a new bug for the rest of the headers?
Thanks!
|
||
Comment 9•10 years ago
|
||
Status: NEW → RESOLVED
Closed: 10 years ago
status-firefox42:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla42
|
||
Comment 10•9 years ago
|
||
dveditz suggested this needs a release note for 42. Valentin, can you suggest wording for a release note and something we can link to? Thanks.
|
|
||
Updated•9 years ago
|
Flags: needinfo?(dveditz)
|
|
Assignee | |
Comment 11•9 years ago
|
||
(In reply to Liz Henry (:lizzard) (needinfo? me) from comment #10)
> dveditz suggested this needs a release note for 42. Valentin, can you
> suggest wording for a release note and something we can link to? Thanks.
This bug makes all the resources in a package [1] inherit the same "Content-Security-Policy" header that the package response had. Bug 1181137 (landed in fx43) improves upon this by copying all the allowed headers from the package to each individual resource.
[1] The new package format is defined at https://wiki.mozilla.org/FirefoxOS/New_security_model
It is based on https://github.com/w3ctag/packaging-on-the-web with the exception that subresources are identified by a unique URL such as protocol://domain/path/to/package.pak!//path/to/subresource.html
The !// separator is essential to identifying a package.
Flags: needinfo?(valentin.gosu)
|
||
Comment 12•9 years ago
|
||
Liz, this is for b2g mostly if I understand correctly. Why do you think we should relnote it?
Flags: needinfo?(sledru)
|
|
||
Comment 13•9 years ago
|
||
Because al mentioned that dveditz thought we should relnote it and he was just about to get on an airplane. Can you check with Daniel some time this week?
|
||
Updated•9 years ago
|
Whiteboard: [adv-main42-]
|
||
Comment 14•9 years ago
|
||
I may have misunderstood this bug when I got concerned about it. Since this type of package is a new feature, not the existing web app package types, we don't need to warn users of it.
Flags: needinfo?(dveditz)
|
|
||
Updated•9 years ago
|
relnote-firefox:
? → ---
You need to log in
before you can comment on or make changes to this bug.
Description
•