Closed Bug 1262638 Opened 8 years ago Closed 8 years ago

CSP reports sent but can't find the cause

Categories

(Core :: DOM: Security, defect, P3)

Product:
Core
Component:
DOM: Security
Version:
45 Branch
Type:
defect

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: bugzilla, Unassigned)

Details

(Whiteboard: [domsecurity-backlog3])

Attachments

(3 files)

firefox1.png
66.33 KB, image/png
Details
firefox2.png
67.19 KB, image/png
Details
firefox-base-uri1
375.05 KB, image/png
Details
Attached image firefox1.png 
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36

Steps to reproduce:

I have a CSP test page to generate violations for use in analysis: 
https://scotthelme.co.uk/csp-test/

Right now when I visit this page Firefox is sending reports that I can't find the cause of. See attached screenshots. No other browsers is reporting these particular violations.



Actual results:

CSP reports are sent for items that I can't find the cause of.


Expected results:

CSP reports possibly should not have been sent.
Attached image firefox2.png 
Component: Untriaged → DOM: Security
Product: Firefox → Core

    
    

    
  

      
      
      
      

        Attached image
          
        firefox-base-uri1
      

    


  
Possibly related, similar behaviour on my own site here:
https://www.housingstudents.org.uk/

Observed Behaviour:
Firefox reports a violation of base-uri for the violating url about:blank, when no base-uri is declared in the DOM.
Even when declaring a valid base-uri the violation is still reported, see test page here:
https://www.housingstudents.org.uk/declare_base

Expected Behaviour:
No violation should be reported, as far as I can tell.

I can also confirm the results Scott observed on his site are present in Firefox 45.0.1 on OS X.

    
    

    
  
I've also started seeing a larger amount of reports like this one too:

{
    "csp-report": {
        "blocked-uri": "self",
        "document-uri": "https://scotthelme.co.uk/tls-conundrum-and-leaving-cloudflare/",
        "line-number": 1,
        "script-sample": "(function () {\n\n    var event_id = docum...",

    }
}

I trimmed the report for sanity but it's not something I recognise and I'm getting a considerable number of them. I can't find "var event_id" anywhere in my source. Firefox is the only browser that sends these reports, no other browser reports the violation.

    
    

    
  
(In reply to Aidan Woods from comment #2)
Aidan, this sounds like possibly a separate bug so I would recommend filing a new bug for it so we can track the individually.


(In reply to Scott Helme from comment #3)
> I've also started seeing a larger amount of reports like this one too:

Btw. https://a.disquscdn.com/next/embed/common.bundle.2604ea86c00f3bcc98e8fdc57114c1cc.js (which is loaded on that page) does have two occurrences of `event_id`… I can't be sure that's related. I don't know how to reproduce that report being sent and I haven't looked at CSP in a while. 

I think someone who knows CSP will need to use a native debugger to see what's triggering the reports. If you're comfortable with native debugging I can probably mentor you.

Is this a regression from a previous version? If you could use mozregression[1] to find the regression range it would help to figure out the cause.

[1] https://mozilla.github.io/mozregression/quickstart.html(
Status: UNCONFIRMED → NEW
Has Regression Range: --- → no
Ever confirmed: true
Flags: needinfo?(scotthelme)

    
    

    
  
Matthew, per your advisement I have created a separate bug report (https://bugzilla.mozilla.org/show_bug.cgi?id=1263286).

    
    

    
  
Hi Matt, you're right, I can see event_id in there. What's interesting is that no other browser sends this report so I think further investigation is needed.
Flags: needinfo?(scotthelme)

    
    

    
  
It seems this bug contains information about several different issues.
1) Bug 1263286 should take care of incorrect base-uri violations for about:blank.
2) Bug 1262635 does not strip schemes of type ftp: within the report anymore.
3) The actual issue for this bug described in Comment 0.

When visiting  https://scotthelme.co.uk/csp-test/ I do see 4 reports that are being sent:

* ftp://example.com/ftp.png
* https://example.com/
* https://securityheaders.io/images/blocked.png
* http://scotthelme.co.uk/upgrade.png

I also see all of those violations within the browser console:

Content Security Policy: The page's settings blocked the loading of a resource at ftp://example.com/ftp.png ("img-src https://scotthelme.co.uk data: https://googleads.g.doubleclick.net https://www.google.com https://pagead2.googlesyndication.com https://tpc.googlesyndication.com https://csi.gstatic.com https://www.gravatar.com https://s3.amazonaws.com https://syndication.twitter.com https://pbs.twimg.com https://platform.twitter.com https://www.google-analytics.com https://links.services.disqus.com https://referrer.disqus.com https://a.disquscdn.com https://securityheaders.io/images/security-headers.png").

Content Security Policy: The page's settings blocked the loading of a resource at https://example.com/ ("frame-src https://fw.adsafeprotected.com https://cm.g.doubleclick.net https://tpc.googlesyndication.com https://disqus.com https://www.youtube.com https://syndication.twitter.com https://platform.twitter.com").

Content Security Policy: The page's settings blocked the loading of a resource at https://securityheaders.io/images/blocked.png ("img-src https://scotthelme.co.uk data: https://googleads.g.doubleclick.net https://www.google.com https://pagead2.googlesyndication.com https://tpc.googlesyndication.com https://csi.gstatic.com https://www.gravatar.com https://s3.amazonaws.com https://syndication.twitter.com https://pbs.twimg.com https://platform.twitter.com https://www.google-analytics.com https://links.services.disqus.com https://referrer.disqus.com https://a.disquscdn.com https://securityheaders.io/images/security-headers.png").

Content Security Policy: The page's settings blocked the loading of a resource at http://scotthelme.co.uk/upgrade.png ("img-src https://scotthelme.co.uk data: https://googleads.g.doubleclick.net https://www.google.com https://pagead2.googlesyndication.com https://tpc.googlesyndication.com https://csi.gstatic.com https://www.gravatar.com https://s3.amazonaws.com https://syndication.twitter.com https://pbs.twimg.com https://platform.twitter.com https://www.google-analytics.com https://links.services.disqus.com https://referrer.disqus.com https://a.disquscdn.com https://securityheaders.io/images/security-headers.png").


Looking at the first error, the site tries to load an image over 'ftp://example.com/ftp.png' which is not whitelisted by img-src and hence CSP blocks the load, which seems correct to me.

Scott, thanks for reporting. At the moment I don't fully understand what the problem is you are reporting, am I missing something?
Flags: needinfo?(scotthelme)

    
    

    
  
(In reply to Christoph Kerschbaumer [:ckerschb] from comment #7)

Hey Christoph, 

I've updated the test page to remove the 'unsafe-inline' flag from the CSP, the error is now happening again if you want to check: https://scotthelme.co.uk/csp-test/

It's firing violations that I can only see in Firefox and I can't find the source of.
Flags: needinfo?(scotthelme)

    
    

    
  
Thanks for updating the site Scott; now I can reproduce the problem. It seems that jquery is registering event handlers (see stacktrace underneath and also JS stacktrace at the very bottom) which are blocked by CSP if the top site does not use 'unsafe-inline'.

I agree the error message in the console is not that useful (we should log some more details), but the blocking itself seems correct to me. You mentioned, you have tried other browsers, which ones? I just tried Chrome, they don't report that error, but I don't know why. To me it seems correct to actually block the load and report a violation.

#0  0x00007fffe8bae946 in CSPReportSenderRunnable::CSPReportSenderRunnable (this=0x7fffc51af080, aBlockedContentSource=0x7fffcd23e4f0, aOriginalURI=0x7fffc3251800, 
    aViolatedPolicyIndex=0, aReportOnlyFlag=false, aViolatedDirective=..., aObserverSubject=..., aSourceFile=..., aScriptSample=..., aLineNum=0, 
    aCSPContext=0x7fffc2dc4520) at /home/ckerschb/moz/mc/dom/security/nsCSPContext.cpp:1026
#1  0x00007fffe8b9b0ae in nsCSPContext::AsyncReportViolation (this=0x7fffc2dc4520, aBlockedContentSource=0x7fffcd23e4f0, aOriginalURI=0x7fffc3251800, 
    aViolatedDirective=..., aViolatedPolicyIndex=0, aObserverSubject=..., aSourceFile=..., aScriptSample=..., aLineNum=0)
    at /home/ckerschb/moz/mc/dom/security/nsCSPContext.cpp:1146
#2  0x00007fffe8b982ce in nsCSPContext::reportInlineViolation (this=0x7fffc2dc4520, aContentType=2, aNonce=..., aContent=..., aViolatedDirective=..., 
    aViolatedPolicyIndex=0, aLineNumber=0) at /home/ckerschb/moz/mc/dom/security/nsCSPContext.cpp:452
#3  0x00007fffe8b985d1 in nsCSPContext::GetAllowsInline (this=0x7fffc2dc4520, aContentType=2, aNonce=..., aContent=..., aLineNumber=0, outAllowsInline=0x7fffffffa6c3)
    at /home/ckerschb/moz/mc/dom/security/nsCSPContext.cpp:493
#4  0x00007fffe85acab7 in mozilla::EventListenerManager::SetEventHandler (this=0x7fffcc3c08b0, aName=0x7fffda420e20, aBody=..., aDeferCompilation=true, 
    aPermitUntrustedEvents=true, aElement=0x7fffcc3c00d0) at /home/ckerschb/moz/mc/dom/events/EventListenerManager.cpp:840
#5  0x00007fffe7344a15 in mozilla::dom::Element::SetEventHandler (this=0x7fffcc3c00d0, aEventName=0x7fffda420e20, aValue=..., aDefer=true)
    at /home/ckerschb/moz/mc/dom/base/Element.cpp:2164
#6  0x00007fffe87249bd in nsGenericHTMLElement::AfterSetAttr (this=0x7fffcc3c00d0, aNamespaceID=0, aName=0x7fffda420e20, aValue=0x7fffffffaa60, aNotify=true)
    at /home/ckerschb/moz/mc/dom/html/nsGenericHTMLElement.cpp:731
#7  0x00007fffe7345938 in mozilla::dom::Element::SetAttrAndNotify (this=0x7fffcc3c00d0, aNamespaceID=0, aName=0x7fffda420e20, aPrefix=0x0, aOldValue=..., 
    aParsedValue=..., aModType=2 '\002', aFireMutation=false, aNotify=true, aCallAfterSetAttr=true) at /home/ckerschb/moz/mc/dom/base/Element.cpp:2419
#8  0x00007fffe7344f96 in mozilla::dom::Element::SetAttr (this=0x7fffcc3c00d0, aNamespaceID=0, aName=0x7fffda420e20, aPrefix=0x0, aValue=..., aNotify=true)
    at /home/ckerschb/moz/mc/dom/base/Element.cpp:2297
#9  0x00007fffe8725688 in nsGenericHTMLElement::SetAttr (this=0x7fffcc3c00d0, aNameSpaceID=0, aName=0x7fffda420e20, aPrefix=0x0, aValue=..., aNotify=true)
    at /home/ckerschb/moz/mc/dom/html/nsGenericHTMLElement.cpp:910
#10 0x00007fffe7368a02 in mozilla::dom::Element::SetAttr (this=0x7fffcc3c00d0, aNameSpaceID=0, aName=0x7fffda420e20, aValue=..., aNotify=true)
    at /home/ckerschb/moz/mc-obj-ff-dbg/dist/include/mozilla/dom/Element.h:460
#11 0x00007fffe7341b47 in mozilla::dom::Element::SetAttribute (this=0x7fffcc3c00d0, aName=..., aValue=..., aError=...) at /home/ckerschb/moz/mc/dom/base/Element.cpp:1201
#12 0x00007fffe818e400 in mozilla::dom::ElementBinding::setAttribute (cx=0x7fffc33b0000, obj=..., self=0x7fffcc3c00d0, args=...)
    at /home/ckerschb/moz/mc-obj-ff-dbg/dom/bindings/ElementBinding.cpp:851
#13 0x00007fffe837f7e7 in mozilla::dom::GenericBindingMethod (cx=0x7fffc33b0000, argc=2, vp=0x7fffda13f270) at /home/ckerschb/moz/mc/dom/bindings/BindingUtils.cpp:2778
#14 0x00007fffeb7c3f84 in js::CallJSNative (cx=0x7fffc33b0000, native=0x7fffe837f5b7 <mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*)>, args=...)
    at /home/ckerschb/moz/mc/js/src/jscntxtinlines.h:235
#15 0x00007fffeb7a1a0b in js::InternalCallOrConstruct (cx=0x7fffc33b0000, args=..., construct=js::NO_CONSTRUCT) at /home/ckerschb/moz/mc/js/src/vm/Interpreter.cpp:480
#16 0x00007fffeb7a1d29 in InternalCall (cx=0x7fffc33b0000, args=...) at /home/ckerschb/moz/mc/js/src/vm/Interpreter.cpp:525
#17 0x00007fffeb7a1d53 in js::CallFromStack (cx=0x7fffc33b0000, args=...) at /home/ckerschb/moz/mc/js/src/vm/Interpreter.cpp:531
#18 0x00007fffeb7b103b in Interpret (cx=0x7fffc33b0000, state=...) at /home/ckerschb/moz/mc/js/src/vm/Interpreter.cpp:2831
#19 0x00007fffeb7a1689 in js::RunScript (cx=0x7fffc33b0000, state=...) at /home/ckerschb/moz/mc/js/src/vm/Interpreter.cpp:426
#20 0x00007fffeb7a299d in js::ExecuteKernel (cx=0x7fffc33b0000, script=..., scopeChainArg=..., newTargetValue=..., evalInFrame=..., result=0x0)
---Type <return> to continue, or q <return> to quit---
    at /home/ckerschb/moz/mc/js/src/vm/Interpreter.cpp:704
#21 0x00007fffeb7a2c67 in js::Execute (cx=0x7fffc33b0000, script=..., scopeChainArg=..., rval=0x0) at /home/ckerschb/moz/mc/js/src/vm/Interpreter.cpp:737
#22 0x00007fffeb55c55f in ExecuteScript (cx=0x7fffc33b0000, scope=..., script=..., rval=0x0) at /home/ckerschb/moz/mc/js/src/jsapi.cpp:4392
#23 0x00007fffeb55c7aa in ExecuteScript (cx=0x7fffc33b0000, scopeChain=..., scriptArg=..., rval=0x0) at /home/ckerschb/moz/mc/js/src/jsapi.cpp:4411
#24 0x00007fffeb55c98d in JS_ExecuteScript (cx=0x7fffc33b0000, scopeChain=..., scriptArg=...) at /home/ckerschb/moz/mc/js/src/jsapi.cpp:4438
#25 0x00007fffe74f5ddb in nsJSUtils::EvaluateString (aCx=0x7fffc33b0000, aSrcBuf=..., aEvaluationGlobal=..., aCompileOptions=..., aEvaluateOptions=..., aRetValue=..., 
    aOffThreadToken=0x7fffc187f628) at /home/ckerschb/moz/mc/dom/base/nsJSUtils.cpp:207
#26 0x00007fffe74f627a in nsJSUtils::EvaluateString (aCx=0x7fffc33b0000, aSrcBuf=..., aEvaluationGlobal=..., aCompileOptions=..., aOffThreadToken=0x7fffc187f628)
    at /home/ckerschb/moz/mc/dom/base/nsJSUtils.cpp:280
#27 0x00007fffe7537000 in nsScriptLoader::EvaluateScript (this=0x7fffc5747440, aRequest=0x7fffc187f5e0, aSrcBuf=...)
    at /home/ckerschb/moz/mc/dom/base/nsScriptLoader.cpp:1142
#28 0x00007fffe7536357 in nsScriptLoader::ProcessRequest (this=0x7fffc5747440, aRequest=0x7fffc187f5e0) at /home/ckerschb/moz/mc/dom/base/nsScriptLoader.cpp:961
#29 0x00007fffe75356bc in nsScriptLoader::ProcessOffThreadRequest (this=0x7fffc5747440, aRequest=0x7fffc187f5e0) at /home/ckerschb/moz/mc/dom/base/nsScriptLoader.cpp:771
#30 0x00007fffe7535992 in (anonymous namespace)::NotifyOffThreadScriptLoadCompletedRunnable::Run (this=0x7fffc519efa0)
    at /home/ckerschb/moz/mc/dom/base/nsScriptLoader.cpp:801
#31 0x00007fffe5b2f312 in nsThread::ProcessNextEvent (this=0x7ffff6b7b500, aMayWait=false, aResult=0x7fffffffc5bf) at /home/ckerschb/moz/mc/xpcom/threads/nsThread.cpp:994
#32 0x00007fffe5b95b0f in NS_ProcessNextEvent (aThread=0x7ffff6b7b500, aMayWait=false) at /home/ckerschb/moz/mc/xpcom/glue/nsThreadUtils.cpp:290
#33 0x00007fffe62ecbfa in mozilla::ipc::MessagePump::Run (this=0x7fffe2789a00, aDelegate=0x7ffff6b426e0) at /home/ckerschb/moz/mc/ipc/glue/MessagePump.cpp:98
#34 0x00007fffe624fa67 in MessageLoop::RunInternal (this=0x7ffff6b426e0) at /home/ckerschb/moz/mc/ipc/chromium/src/base/message_loop.cc:230
#35 0x00007fffe624f9fc in MessageLoop::RunHandler (this=0x7ffff6b426e0) at /home/ckerschb/moz/mc/ipc/chromium/src/base/message_loop.cc:223
#36 0x00007fffe624f9d5 in MessageLoop::Run (this=0x7ffff6b426e0) at /home/ckerschb/moz/mc/ipc/chromium/src/base/message_loop.cc:203
#37 0x00007fffe920d9e4 in nsBaseAppShell::Run (this=0x7fffda1b8120) at /home/ckerschb/moz/mc/widget/nsBaseAppShell.cpp:156
#38 0x00007fffea167191 in nsAppStartup::Run (this=0x7fffda15ab00) at /home/ckerschb/moz/mc/toolkit/components/startup/nsAppStartup.cpp:281
#39 0x00007fffea1ffe9e in XREMain::XRE_mainRun (this=0x7fffffffc990) at /home/ckerschb/moz/mc/toolkit/xre/nsAppRunner.cpp:4340
#40 0x00007fffea200265 in XREMain::XRE_main (this=0x7fffffffc990, argc=1, argv=0x7fffffffdea8, aAppData=0x7fffffffcbb0)
    at /home/ckerschb/moz/mc/toolkit/xre/nsAppRunner.cpp:4437
#41 0x00007fffea200542 in XRE_main (argc=1, argv=0x7fffffffdea8, aAppData=0x7fffffffcbb0, aFlags=0) at /home/ckerschb/moz/mc/toolkit/xre/nsAppRunner.cpp:4543
#42 0x000000000040586a in do_main (argc=1, argv=0x7fffffffdea8, envp=0x7fffffffdeb8, xreDirectory=0x7ffff6b59780) at /home/ckerschb/moz/mc/browser/app/nsBrowserApp.cpp:220
#43 0x0000000000405c74 in main (argc=1, argv=0x7fffffffdea8, envp=0x7fffffffdeb8) at /home/ckerschb/moz/mc/browser/app/nsBrowserApp.cpp:360
(gdb) print dumpJSStack()
No symbol "dumpJSStack" in current context.
(gdb) print DumpJSStack()
0 x.support<(t = [object Object]) ["https://cdnjs.cloudflare.com/ajax/libs/jquery/1.10.2/jquery.min.js":4]
    this = [object Window]
1 anonymous(e = [object Window]) ["https://cdnjs.cloudflare.com/ajax/libs/jquery/1.10.2/jquery.min.js":4]
    this = [object Window]
2 <TOP LEVEL> ["https://cdnjs.cloudflare.com/ajax/libs/jquery/1.10.2/jquery.min.js":4]

$1 = void

    
    

    
  
Hi! I'm totally willing to believe that Chrome is doing something wrong here, but it would be helpful to have a slightly more minimal test case. I guess the trace posted above is referring to an execution of `setAttribute()` somewhere? I don't actually see that in the code, though, so... Halp?

    
    

    
  
Scott, I chatted with Google folks on IRC, they are also curious about the error as well. Any chance I could convince you to provide a minimal site the produces the error to eliminate all the noise? See also IRC chat underneath:

ckerschb> mkwst: since I have you in the same time zone, would you mind taking a look at: https://bugzilla.mozilla.org/show_bug.cgi?id=1262638#c9 - it seems chrome is not reporting that jquery violation even though I think it's correct that firefox does
1:42 PM <firebot> Bug 1262638 — NEW, nobody@mozilla.org — CSP reports sent but can't find the cause
1:45 PM <mkwst> ckerschb: Sure! Is there a more minimal page that produces the reports you see? I'm totally willing to believe that Chrome does the wrong thing with event handlers set from script.
1:46 PM <mkwst> Just to be sure we're on the same page, you're talking about something like `el.setAttribute('load', 'script goes here');`, right? `el.onload = whatever;` isn't inline script.
1:50 PM <ckerschb> mkwst: I believe so. The report says line 4 on https://cdnjs.cloudflare.com/ajax/libs/jquery/1.10.2/jquery.min.js which is hard to verify :-)
1:50 PM ⇐ remi quit (Thunderbird@moz-cpg.e0p.12.80.IP) Client exited
1:50 PM <mkwst> ...
1:50 PM <mkwst> Yeah. :)
1:50 PM → remi joined (Thunderbird@moz-cpg.e0p.12.80.IP)
1:50 PM <ckerschb> I am trusting the gecko stacktrace I posted
Flags: needinfo?(scotthelme)

    
    

    
  
I've started on a basic page here without the other example CSP tests that I included: https://scotthelme.co.uk/bug-1262638/

I'm not exactly sure what/where the problem is myself so when you say a minimal test case, what would you like me to remove? I could be limited by my blogging platform to remove much more but let me know and I will see what I can do.
Flags: needinfo?(scotthelme)

    
    

    
  
For me, it would be helpful if there was a page that produced _that_ report in Firefox, but no others (and, no reports in Chrome, I suppose). Getting rid of every library on the page that doesn't participate in producing that report would make it much simpler to determine what interaction causes the problem, and then to figure out whether Chrome or Firefox has the correct behavior.

    
    

    
  
Ok, try now.

    
    

    
  
Mike, any chance you could have someone take a look at this bug from the Chrome folks to see why Chrome is not sending any reports?
Flags: needinfo?(mkwst)
Priority: -- → P3
Whiteboard: [domsecurity-backlog]
Whiteboard: [domsecurity-backlog] → [domsecurity-backlog3]

    
    

    
  
As discussed with Mike in person, this is a on Chrome's radar to fix. I will mark this bug as INVALID since Firefox behalves correctly.
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(mkwst)
Resolution: --- → INVALID

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: