Content Security Policy ignoring 'self' and nonce for script-src but still executing script

RESOLVED WORKSFORME

Status

()

Core
DOM: Security
RESOLVED WORKSFORME
2 years ago
2 years ago

People

(Reporter: damon, Unassigned)

Tracking

41 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [domsecurity-backlog])

Attachments

(1 attachment)

(Reporter)

Description

2 years ago
Created attachment 8670859 [details]
Screen Shot 2015-10-07 at 9.52.52 AM.png

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36

Steps to reproduce:

Create document with inline script with nonce attribute. Add nonce value and 'self' to script-src CSP directive.

Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval' 'nonce-NONCE_VALUE';

http://roh.eworksbuildsit.com/locations/ for a real-world example
http://roh.eworksbuildsit.com/test.php for an abbreviated example
source of test.php below
<?php

$nonce = hash('sha1', time() . rand());

header("Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval' 'nonce-" . $nonce . "'; report-uri http://roh.eworksbuildsit.com/csp");

?>
<!doctype html>
<html>
<head>
<meta charset="UTF-8">
<title>Untitled Document</title>
<script type="text/javascript" nonce="<?= $nonce; ?>">
window.onload = function(){
	var txt = document.createTextNode('Hello');
	document.body.appendChild(txt);	
};
</script>
</head>
<body>
</body>
</html>


Actual results:

Security error "Content Security Policy: The page's settings blocked the loading of a resource at self". However, the script does actually execute.


Expected results:

Script executes without security warning

Updated

2 years ago
Status: UNCONFIRMED → NEW
Component: Untriaged → Networking
Ever confirmed: true

Updated

2 years ago
Component: Networking → DOM: Security
Kamil, Matt, is that reproduceable?
Flags: needinfo?(mwobensmith)
Flags: needinfo?(kjozwiak)
Whiteboard: [domsecurity-backlog]
QA Contact: kjozwiak
Reproduced the original issue using the test case that was attached in comment #0 with the following build:
* https://archive.mozilla.org/pub/firefox/releases/41.0.2/linux-x86_64/

Received the following error message in the browser console, even though the script was executed:

Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src http://localhost 'unsafe-eval' 'nonce-e7ffc55d5958db702caf1fedc813a72a0925a6d4'").

Went through verification using the following builds:
* https://archive.mozilla.org/pub/firefox/nightly/2016/03/2016-03-10-03-02-42-mozilla-central/
* https://archive.mozilla.org/pub/firefox/nightly/2016/03/2016-03-10-00-40-11-mozilla-aurora/
* https://archive.mozilla.org/pub/firefox/candidates/46.0b1-candidates/build8/linux-x86_64/en-US/
* https://archive.mozilla.org/pub/firefox/releases/45.0/linux-x86_64/

Results:

* fx48.0a1 - PASSED
** loaded the script without an error message appearing under the browser console

* fx47.0a2 - PASSED
** loaded the script without an error message appearing under the browser console

* fx46.0b1 - PASSED
** loaded the script without an error message appearing under the browser console

* fx45.0 - PASSED
** loaded the script without an error message appearing under the browser console

It looks like this isn't an issue anymore. I've reproduced the problem using fx41.0.2 several times and couldn't reproduce the issue with fx48.0a1, fx47.0a2, fx46.0b1 and fx45.0.
Flags: needinfo?(mwobensmith)
Flags: needinfo?(mozilla)
Flags: needinfo?(kjozwiak)
(In reply to Kamil Jozwiak [:kjozwiak] from comment #2)
> It looks like this isn't an issue anymore. I've reproduced the problem using
> fx41.0.2 several times and couldn't reproduce the issue with fx48.0a1,
> fx47.0a2, fx46.0b1 and fx45.0.

Thanks Kamil. Would be really surprising to me if that would not be working correctly within the latest versions. Closing this bug.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Flags: needinfo?(mozilla)
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.