Closed Bug 1262963 Opened 8 years ago Closed 7 years ago

Allow CSSOM access to cross-origin stylesheets (for testing only)

Categories

(Core :: DOM: CSS Object Model, defect, P3)

Product:
Core
Component:
DOM: CSS Object Model
Platform:
All
Unspecified
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla55
Tracking Flags:
Tracking Status
platform-rel --- +
firefox48 --- affected
firefox55 --- fixed

People

(Reporter: bugs, Assigned: bugs)

References

Details

(Whiteboard: btpp-fixlater [platform-rel-Microsoft][platform-rel-Edge])

Attachments

(3 files, 1 obsolete file)

Updated patch with a new pref
992 bytes, patch
Details | Diff | Splinter Review
Add an env variable for shell scripting
1.23 KB, patch
Details | Diff | Splinter Review
Bug 1262963 - Add env var for bypassing origin check of cssom.
58 bytes, text/x-review-board-request
heycam
: review+
Details 
I don't think we'd ever ship this, for obvious reasons. I'm filing this bug so we can review the correct way to build Firefox to allow a crawler to collect the style rules used by a site. Such a build could be used to collect CSS usage like:
https://developer.microsoft.com/en-us/microsoft-edge/platform/usage/
Attachment #8739166 - Flags: feedback?(cam)
Whiteboard: btpp-fixlater
To quote from https://developer.microsoft.com/en-us/microsoft-edge/platform/faq/where-is-firefox/:

  We would love to crawl with Firefox, and have reached out to them to see if they would be
  willing to provide a way to spin up their browser with access to external CSS stylesheets. Since
  this currently isn’t possible we don’t want to include their numbers as we don’t want those to
  affect the data we’re providing to the community.


Here is the script that is being injected (using WebDriver) when Firefox is being driven for this crawl: https://github.com/MicrosoftEdge/css-usage/blob/6432187/cssUsage.src.js#L307

How about adding a new pref to control whether read only cross-origin CSSOM access is allowed (a different pref from the one in attachment 8739166 [details] [diff] [review], since that one implies some other security loosening that we don't need here), and only taking notice of the pref if WebDriver is enabled?
See Also: → 1248444
Define "read only"?  Once you have your hands on a CSSStyleDeclaration from this cross-origin sheet, can you set properties on it?  If not, we'd need to add checks for this stuff on a bunch of codepaths, right?

Anyway, I'm OK with a non-default mode, using a different pref name, that would just let you do whatever the heck you want with cross-origin sheets.  And yes, only having that pref apply when webdriver is enabled is a good idea.
Good point about read only -- I was thinking we would just add the pref check to GetCssRules and not InsertRule and DeleteRule, but of course you are right once we have access to objects further in the sheet that's harder to restrict.
David, is there a good way of detecting, from outside of the Marionette add-on, that we are running with Web Driver enabled?
Flags: needinfo?(dburns)
There is bug 1169290 to add an IDL attribute to the `navigator` object when Marionette is active.  I’m not quite sure how to go about implementing that from JS/XPCOM.

In the meantime I guess it is possible to execute a script that sets an attribute on the `window` object:

    session.execute_script("window.wrappedJSObject.webdriver = true")
Changing the pref name and posting a new patch. Try results: 
https://treeherder.mozilla.org/#/jobs?repo=try&revision=1b77b2b2f1a7
Assignee: nobody → bugs
Attachment #8739166 - Attachment is obsolete: true
Status: NEW → ASSIGNED
Attachment #8739166 - Flags: feedback?(cam)
We need to implement what is in bug 1169290
Flags: needinfo?(dburns)
platform-rel: --- → ?
Whiteboard: btpp-fixlater → btpp-fixlater [platform-rel-Microsoft][platform-rel-Edge]
platform-rel: ? → +
Blocks: 1314311
Are we going to land this or something like it, Jet? Or is having patched builds sufficient?
Flags: needinfo?(bugs)
Rank: 50
(In reply to Andrew Overholt [:overholt] from comment #9)
> Are we going to land this or something like it, Jet? Or is having patched
> builds sufficient?

I'm inclined to ship just the patch in comment 8 if it passes a sec-review. heycam: WDYT?
Flags: needinfo?(bugs) → needinfo?(cam)
Priority: -- → P3
Comparing to the patch from comment 6, there are several effective difference:
* the pref is changed to "security.turn_off_cssom_origin_check" which I think makes more sense;
* in addition to allowing reading cssRules, it also enables insertRule and deleteRule because the security check code has been unified a while ago, so it is easier to do this;
* the origin of the stylesheet is changed to the page origin when accessed
I had hoped that we could restrict this a bit more.  It makes me wary to just have a pref by itself, since addons (and end users!) can set prefs, and I think we have a history of bad-for-security prefs being set by users and addons.  Checking this pref and verifying that we are running under Marionette would be a good combination, I think, but when I tried earlier on I couldn't find a way to do that.

Andreas and David mentioned bug 1169290 above, but it's not that we want to expose "is running under Marionette" to script, rather just internally.  (Although maybe the work to do bug 1169290 would help with that.)


(In reply to Xidorn Quan [:xidorn] (UTC+10) from comment #12)
> * the origin of the stylesheet is changed to the page origin when accessed

How it this achieved in the patch, and what advantage does it have to do this?
Flags: needinfo?(cam)
> I had hoped that we could restrict this a bit more. 

Apparently you can set environment variables via add-ons as well (TIL): https://developer.mozilla.org/en-US/Add-ons/SDK/Low-Level_APIs/system_environment
(In reply to Cameron McCormack (:heycam) from comment #13)
> I had hoped that we could restrict this a bit more.  It makes me wary to
> just have a pref by itself, since addons (and end users!) can set prefs, and
> I think we have a history of bad-for-security prefs being set by users and
> addons.  Checking this pref and verifying that we are running under
> Marionette would be a good combination, I think, but when I tried earlier on
> I couldn't find a way to do that.
> 
> Andreas and David mentioned bug 1169290 above, but it's not that we want to
> expose "is running under Marionette" to script, rather just internally. 
> (Although maybe the work to do bug 1169290 would help with that.)

It doesn't seem to me there is anything that Marionette driver can do but an addon cannot. Probably a command line argument would be better if you really worry about this.

For addons, we can probably ask addon team to carefully review (or probably just reject) any addon which touches "security." prefs.

I don't actually think it is a big deal that end users can turn it on. That would be a small number of users anyway, which means it wouldn't be something useful for attackers. (If it turns out to be widespread, we can respond then. But why may users want to do that? One reason might be bug 1314311, though.)

It may allow websites to access what they couldn't access before, but it is also unlikely that sensitive information could be leaked via CSSOM, because that requires the sensitive information to be parsable as CSS first, which majority of web pages aren't.

Users can easily shoot in their foot on security especially by setting environment variables (to enable outputing ssl private keys, for example). So this isn't the worst thing they can do to hurt their own security anyway.

I guess, we could add something to the UI to alert user that some insecure setting has been activated on their instance so that they can be aware of that, in case they forget to close after using them.

I'll also ask security team to do security review on this patch as well, to see if they are concerned about this, and if they are fine with my reasoning above.

> (In reply to Xidorn Quan [:xidorn] (UTC+10) from comment #12)
> > * the origin of the stylesheet is changed to the page origin when accessed
> 
> How it this achieved in the patch, and what advantage does it have to do
> this?

StyleSheet::SubjectSubsumesInnerPrincipal() is already doing this for cross-origin CSSOM access. I just make this pref part of its condition to do that.
Comment on attachment 8815168 [details]
Bug 1262963 - Add env var for bypassing origin check of cssom.

Set sec-approval? for the new (hidden) pref which disables origin check for accessing CSSOM.

See comment 15 for reason why I don't think this is bad for security.
Attachment #8815168 - Flags: sec-approval?
This is a public bug. Sec-approval is useless here. :-)
The point of sec-approval is to gate checkins for exposure on sec-critical and sec-high rated security bugs.
Attachment #8815168 - Flags: sec-approval?
So how should I ask for a security review of the patch?
Flags: needinfo?(abillings)
Set the sec-review flag or needinfo? the person who would do the review?

Whose decision is this issue?
Flags: needinfo?(abillings)
It seems I cannot set the sec-review flag. I think it is from Jet.
Jet, do you think we still need to do this?
Flags: needinfo?(bugs)
(In reply to Cameron McCormack (:heycam) from comment #21)
> Jet, do you think we still need to do this?

I'll find out at CSSWG F2F next week. Keeping the NI:me open.
(In reply to Cameron McCormack (:heycam) from comment #21)
> Jet, do you think we still need to do this?

It appears we do. We can get by with just the environment variable and #ifndef RELEASE to further secure this one.
Flags: needinfo?(bugs)
How is this coming along?
ni? myself for updating the patch to use environment variable instead of pref.
Flags: needinfo?(xidorn+moz)
Patch updated.

So now the switch is behind a one-off initialization from environment variable, so it is less likely to be changed. With e10s, though, new child process may still be affected if the environment variable changes.

Also it is behind RELEASE_OR_BETA, which means this environment variable would only be effective on Nightly. Hopefully this is enough for people who want to test.

heycam, could you review this patch now?
Flags: needinfo?(xidorn+moz) → needinfo?(cam)
Greg, currently I'm going to only allow that environment variable on Nightly. Does that work for you? Or you want to use beta or release version for your purpose?
Flags: needinfo?(gwhit)
Comment on attachment 8815168 [details]
Bug 1262963 - Add env var for bypassing origin check of cssom.

https://reviewboard.mozilla.org/r/96196/#review143352

::: dom/base/nsContentUtils.h:2229
(Diff revision 2)
>    /**
> +   * Returns true if CSSOM origin check should be skipped for test.
> +   */

Please elaborate a little more in this comment about what kind of testing this is designed for, and perhaps mention the environment variable here too.
Attachment #8815168 - Flags: review?(cam) → review+
Greg, also, could you try using this build with your script and see if it works? https://archive.mozilla.org/pub/firefox/try-builds/xquan@mozilla.com-8930a72286deb2ca4191e68df7cb29635f3bbf68/try-win64-debug/firefox-55.0a1.en-US.win64.zip

The environment variable is MOZ_BYPASS_CSSOM_ORIGIN_CHECK.
Yes, nightly only is fine - I'll update the VMs with that build and configure the var and let you all know. One quick question, will this ALWAYS be in nightly? As we'd like to update it every time we run without needing custom builds. I assume yes, but want to be sure.
Flags: needinfo?(gwhit)
Yes it will.  Once you've confirmed that build works, we'll land the patch.
Flags: needinfo?(cam)
Ok, we have verified this in the crawler. Please ship the patch - thank you all so much for the hard work and patience.
Pushed by xquan@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/de9ea32f4238
Add env var for bypassing origin check of cssom. r=heycam
https://hg.mozilla.org/mozilla-central/rev/de9ea32f4238
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox55: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Nightly today or tomorrow should start including this :)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: