Incorrect behavior of Subresource Integrity when Sandbox attribute present

RESOLVED FIXED

Status

()

Core
DOM: Security
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: Eric Lawrence (@ericlaw), Unassigned)

Tracking

51 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

2 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.80 Safari/537.36

Steps to reproduce:

Visit https://bayden.com/test/sri/ in Chrome 55 and Firefox 51.


Actual results:

Stylesheet applied in Firefox but not in Chrome.


Expected results:

In Chrome, the stylesheet application is blocked because the LINK element did not specify crossorigin="anonymous". Though the CSS resource is normally same-origin to the page in the same folder, the SANDBOX attribute in the page's CSP declaration means that it should not be treated as such.

See also https://crbug.com/642744
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:51.0) Gecko/20100101 Firefox/51.0

I have tested this issue on Windows 10 x64 with the latest Firefox release (48.0.2) and the latest Nightly (51.0a1-20160904030201) and managed to reproduce it.
After loading the URL provided in the STR form the description, you can observe that the stylesheet is applied and the text is colored red.
Component: Untriaged → DOM: Security
Product: Firefox → Core
We'll need to re-test this once bug 1187335 lands because the test for whether or not something is same-origin has changed.
Depends on: 1187335
It seems Bug 1187335 has fixed the issue described in this bug. When running the STR from comment 0, the text is not styled and I see the following error in the console:

> “https://bayden.com/test/sri/styles.css” is not eligible for integrity checks since it’s neither CORS-enabled nor same-origin.
(In reply to Christoph Kerschbaumer [:ckerschb] from comment #3)
> It seems Bug 1187335 has fixed the issue described in this bug. When running
> the STR from comment 0, the text is not styled and I see the following error
> in the console:
> 
> > “https://bayden.com/test/sri/styles.css” is not eligible for integrity checks since it’s neither CORS-enabled nor same-origin.

Great!
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
awesome! thanks.
You need to log in before you can comment on or make changes to this bug.