CSP style-src 'unsafe-inline' preferred over hash-source / nonce-source

RESOLVED FIXED in Firefox 48

Status

()

defect
RESOLVED FIXED
4 years ago
3 years ago

People

(Reporter: kontakt, Assigned: ckerschb)

Tracking

(Blocks 1 bug)

44 Branch
mozilla48
x86
macOS
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox48 fixed)

Details

(Whiteboard: [domsecurity-backlog], )

Attachments

(2 attachments, 1 obsolete attachment)

Reporter

Description

4 years ago
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:44.0) Gecko/20100101 Firefox/44.0
Build ID: 20151124004047

Steps to reproduce:

Visit http://demos.scheurle.info/firefox/csp-hash-source/




Actual results:

Red text reading "Your CSP is broken!" is displayed.


Expected results:

Green text reading "Your CSP works fine." should be displayed.

=> The red text is injected by some inline <style> tag, which, according to the specs (link can be found on the page mentioned above), should never be evaluated.
Reporter

Updated

4 years ago
Component: Untriaged → DOM: Security
Product: Firefox → Core
Reporter

Updated

4 years ago
OS: Unspecified → Mac OS X
Hardware: Unspecified → x86
Reporter

Comment 1

4 years ago
Posted image Screenshot
Reporter

Comment 2

4 years ago
Comment on attachment 8691719 [details]
Screenshot

Screenshot showing:

  * the CSP beeing defined
  * the styles included
  * the actual page
  * the relevant part from the specs
Hi Chris, thanks for reporting. Please note that Meta CSP is only supported after FF 45 [See Bug 663570]. I only did a quick check, and it seems to be blocking correclty. However, the error is not displayed in the web console, which is definitely a bug. I'll have to investigate.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [domsecurity-backlog]
Reporter

Comment 4

3 years ago
I used Meta tags in the demo to keep things compact, but I encountered the same behaviour when using HTTP headers. I just checked the demo with FF 45.0 and FF 46.0a2 and both are *not* blocking anything. Otherwise, there would be no text reading "Your CSP is broken!" at the top of the page.
Thanks Chris for reporting this bug. I know what's going on, we only implemented the 'ignore unsafe-inline part' for scripts, but not for styles [1]. Obviously that needs to be updated and fixed.

[1] http://hg.mozilla.org/mozilla-central/rev/eeece72a1d99#l2.125
Assignee: nobody → mozilla
Blocks: csp-w3c-3
Status: NEW → ASSIGNED
Summary: CSP 'unsafe-inline' preferred over hash-source / nonce-source → CSP style-src 'unsafe-inline' preferred over hash-source / nonce-source
Kate, regarding |mCurChar(nullptr)|. It seems something is off with that line-ending. I think we should just update that part with this patch and land as is. Other than that, the patch is pretty straight forward. Let me know if you have any questions. Thanks!
Attachment #8729715 - Flags: review?(kmckinley)
Comment on attachment 8729715 [details] [diff] [review]
bug_1227813_style_src_unsafe_inline.patch

Review of attachment 8729715 [details] [diff] [review]:
-----------------------------------------------------------------

+1
Attachment #8729715 - Flags: review?(kmckinley) → review+
oh wait, there is a problem in the localization.
Keywords: checkin-needed
Sorry I missed that the first time when I flagged you for review. Anyway, we should also update the localization to include 'style-src' when logging to the console. Just tested - works fine.
Attachment #8729715 - Attachment is obsolete: true
Attachment #8729726 - Flags: review?(kmckinley)
Comment on attachment 8729726 [details] [diff] [review]
bug_1227813_style_src_unsafe_inline.patch

Review of attachment 8729726 [details] [diff] [review]:
-----------------------------------------------------------------

+1 with l10n
Attachment #8729726 - Flags: review?(kmckinley) → review+
now for real :-)
Keywords: checkin-needed

Comment 13

3 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/82215199c9eb
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
You need to log in before you can comment on or make changes to this bug.