If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Give a better error message when inline script is blocked by CSP

NEW
Assigned to

Status

()

Core
DOM: Security
P3
normal
a year ago
a year ago

People

(Reporter: jsnajdr, Assigned: arroway)

Tracking

(Blocks: 2 bugs)

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [domsecurity-backlog1])

Attachments

(1 attachment)

(Reporter)

Description

a year ago
Steps to reproduce:
1. Create a HTML page with inline script: <button onclick="handle()">Hi</button>
2. Serve the page with header Content-Security-Policy: default-src 'self'
3. Open the page in Firefox

Expected result:
Error message that clearly explains what is going on. For example, Chrome does this:

Refused to execute inline event handler because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

Actual result:
1. Got this in the console:
Content Security Policy: The page’s settings blocked the loading of a resource at self (“default-src http://localhost:5000”).

2. Was very confused for a while (until I tried to load the page in Chrome), because the browser seems to refuse to load a script from 'self', which is explicitly allowed by default-src.
Thanks Jarda for reporting. In fact, improving the console messages for CSP is on our radar. Putting in our backlog so someone can pick up that work (hopefully soonish).
Blocks: 1231788
Whiteboard: [domsecurity-backlog]
Priority: -- → P1
Duplicate of this bug: 1178496
(Assignee)

Updated

a year ago
Assignee: nobody → stephouillon
(Assignee)

Updated

a year ago
Blocks: 1242016
(Assignee)

Updated

a year ago
See Also: → bug 1267389
(Assignee)

Comment 3

a year ago
Created attachment 8765110 [details] [diff] [review]
Bug1279894-Improve_webconsole_messages_inline.patch

This is an attempt to improve messages in the webconsole for inline violations of the CSP.
I used the constants defined in nsCSPUtils.h (https://dxr.mozilla.org/mozilla-central/source/dom/security/nsCSPUtils.h#57). Does it look like a good approach?

I tried to fin how it was done before the regression of bug 1134084, but couldn't find the relevant code, but that explains why the CSPViolation constant in csp.properties is not used anywhere in the code anymore (as well as the three constants about inline violations).

One comment: the first two constants (INLINE_SCRIPT_VIOLATION_OBSERVER_TOPIC and INLINE_STYLE_VIOLATION_OBSERVER_TOPIC) doesn't seem to be useful anymore according to https://dxr.mozilla.org/mozilla-central/source/dom/security/nsCSPContext.cpp#427.
Could they be removed or am I missing something?
Attachment #8765110 - Flags: feedback?(ckerschb)
Comment on attachment 8765110 [details] [diff] [review]
Bug1279894-Improve_webconsole_messages_inline.patch

Review of attachment 8765110 [details] [diff] [review]:
-----------------------------------------------------------------

Stephanie, approach looks good to me. Please make sure we have a central theme, so that all of those messages follow the same pattern. There are also a bunch of devtools test which we probably need to be updated. Thanks for working on this; would really love to see those message getting improved.

::: dom/security/nsCSPUtils.h
@@ +53,5 @@
>  
>  
>  /* =============== Constant and Type Definitions ================== */
>  
> +#define INLINE_STYLE_VIOLATION_OBSERVER_TOPIC        "Inline use of the <style> element and HTML style attributes are disabled unless you specify a hash, a nonce or the 'unsafe-inline' directive"

Please either remove 'directive' completely or replace with 'keyword'. (script-src is a diretive, 'unsafe-inline' is a keyword).

@@ +54,5 @@
>  
>  /* =============== Constant and Type Definitions ================== */
>  
> +#define INLINE_STYLE_VIOLATION_OBSERVER_TOPIC        "Inline use of the <style> element and HTML style attributes are disabled unless you specify a hash, a nonce or the 'unsafe-inline' directive"
> +#define INLINE_SCRIPT_VIOLATION_OBSERVER_TOPIC       "Inline scripts are disabled unless you specify a hash, a nonce or the 'unsafe-inline' directive (and 'unsafe-eval' for use of eval())" 

Can we make the script message match the style message? E.g. in the style message you explicitly use <style>, but in the script message you don't.

@@ +55,5 @@
>  /* =============== Constant and Type Definitions ================== */
>  
> +#define INLINE_STYLE_VIOLATION_OBSERVER_TOPIC        "Inline use of the <style> element and HTML style attributes are disabled unless you specify a hash, a nonce or the 'unsafe-inline' directive"
> +#define INLINE_SCRIPT_VIOLATION_OBSERVER_TOPIC       "Inline scripts are disabled unless you specify a hash, a nonce or the 'unsafe-inline' directive (and 'unsafe-eval' for use of eval())" 
> +#define EVAL_VIOLATION_OBSERVER_TOPIC                "The use of eval() is disabled and code will not be created from strings unless you specify the 'unsafe-eval' directive"

same here, please replace directive with keyword or remove.

@@ +57,5 @@
> +#define INLINE_STYLE_VIOLATION_OBSERVER_TOPIC        "Inline use of the <style> element and HTML style attributes are disabled unless you specify a hash, a nonce or the 'unsafe-inline' directive"
> +#define INLINE_SCRIPT_VIOLATION_OBSERVER_TOPIC       "Inline scripts are disabled unless you specify a hash, a nonce or the 'unsafe-inline' directive (and 'unsafe-eval' for use of eval())" 
> +#define EVAL_VIOLATION_OBSERVER_TOPIC                "The use of eval() is disabled and code will not be created from strings unless you specify the 'unsafe-eval' directive"
> +#define SCRIPT_NONCE_VIOLATION_OBSERVER_TOPIC        "Check the inline script element has a valid nonce"
> +#define STYLE_NONCE_VIOLATION_OBSERVER_TOPIC         "Check the inline style element has a valid nonce"

Check the inline style element has a valid nonce - those sentences (for style and script nonce) read slightly weired, can we rephrase?

@@ +59,5 @@
> +#define EVAL_VIOLATION_OBSERVER_TOPIC                "The use of eval() is disabled and code will not be created from strings unless you specify the 'unsafe-eval' directive"
> +#define SCRIPT_NONCE_VIOLATION_OBSERVER_TOPIC        "Check the inline script element has a valid nonce"
> +#define STYLE_NONCE_VIOLATION_OBSERVER_TOPIC         "Check the inline style element has a valid nonce"
> +#define SCRIPT_HASH_VIOLATION_OBSERVER_TOPIC         "Execution of inline script has been blocked: use a valid hash, a nonce or the 'unsafe-inline' directive to enable script execution"
> +#define STYLE_HASH_VIOLATION_OBSERVER_TOPIC          "Use of inline <style> element or HTML style attributes has been blocked: use a valid hash, a nonce or the 'unsafe-inline' directive to allow"

Also here: would be awesome if the style and script message match pretty closely.
Attachment #8765110 - Flags: feedback?(ckerschb) → feedback+
(In reply to Stephanie Ouillon [:arroway] from comment #3)
> One comment: the first two constants (INLINE_SCRIPT_VIOLATION_OBSERVER_TOPIC
> and INLINE_STYLE_VIOLATION_OBSERVER_TOPIC) doesn't seem to be useful anymore
> according to
> https://dxr.mozilla.org/mozilla-central/source/dom/security/nsCSPContext.
> cpp#427.
> Could they be removed or am I missing something?

I suppose you can remove them.
Whiteboard: [domsecurity-backlog] → [domsecurity-active]
Priority: P1 → P3
Whiteboard: [domsecurity-active] → [domsecurity-backlog1]
See Also: → bug 1296027
You need to log in before you can comment on or make changes to this bug.