Closed Bug 1313937 Opened 9 years ago Closed 2 years ago

CSP: Enforce 'strict-dynamic' within default-src

Categories

(Core :: DOM: Security, task, P3)

Product:
Core
Component:
DOM: Security
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
117 Branch
Tracking Flags:
Tracking Status
firefox117 --- fixed

People

(Reporter: ckerschb, Assigned: tschuster)

References

(Blocks 1 open bug)

Details

(Keywords: dev-doc-complete, Whiteboard: [domsecurity-backlog1])

Attachments

(7 files)

default-nonce.html
197 bytes, text/html
Details
default-hash.html
221 bytes, text/html
Details
default-strict-dynamic.html
353 bytes, text/html
Details
Bug 1313937 - CSP: Handle nonce from requests more explictly and closer to the spec. r?freddyb
48 bytes, text/x-phabricator-request
Details | Review
Bug 1313937 - CSP: Reimplement 'strict-dynamic'. r?freddyb
48 bytes, text/x-phabricator-request
Details | Review
Bug 1313937 - CSP: Remove aParserCreated. r?freddyb
48 bytes, text/x-phabricator-request
Details | Review
Bug 1313937 - CSP: Logging improvements. r?ckerschb
48 bytes, text/x-phabricator-request
Details | Review
CSP spec allows 'strict-dynamic' not only to appear within script-src, but also within default-src. To be spec compliant we should fix that.
Blocks: 1299483
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]
Summary: CSP: Enforce 'strict-dynamic' within default-src → CSP: Enforce 'strict-dynamic' and nonce within default-src
Also nonce and hash are honored in default-src (if no script-src), as implied by Christoph's summary change.
The nonce-in-default-src support is part of CSP2.
Blocks: csp-w3c-2
Hi all, I can see that this problem with 'strict-dynamic', nonces and hashes in default-src was already discussed here a year ago. I just want to tell that the problem is still there, at least in Firefox 57 on Fedora. Here is my CSP: default-src 'strict-dynamic' 'nonce-IJAuBi0Jw3E9oKVtziojOEWv3'; Scripts with the right nonce are not executed. I guess that Firefox do not use default-src as a fallback for the missing script-src directive. Regarding 'strict-dynamic', I get a warning that it is simply ignored by Firefox.
(In reply to Dolière Francis SOME from comment #3) > I just want to tell that the problem is still there, at least in Firefox 57 > on Fedora. Yeah, I know. Unfortunately it's still in our backlog. If you are interested in contributing to the project I am happy to provide some guidance for this bug. Thanks!
Thanks for the quick answer ! Yeah, please let me know how one can contribute to the project. I am willing to help if I can.
Firefox already enforces strict-dynamic within script-src, so you could query for CSP_STRICT_DYNAMIC within dom/security/ and apply similar enforcement strategies as we already have in place for script-src. First you will have to change nsCSPParser.cpp to account for strict-dynamic within default-src, then you have to update nsCSPUtils.cpp to actually enforce strict-dynamic within default-src. Let me know if you get stuck somewhere - thanks!
Thanks for the guidelines !

Hello,

I wanted to confirm that the use of nonces and/or hashes within default-src is still unsupported as of Firefox 65. Is there a separate issue tracking this bug? It has been very difficult to find information on, I have not been able to locate any documentation suggesting the default-src directive is not fully functional in FF.

Sorry, should have included this in my original comment. The CSP header I am working with is:

Content-Security-Policy: default-src 'self' 'nonce-aaAAbbBBccCCddDD'

And scripts with the appropriate nonce attribute are not firing.

I wanted to confirm that the use of nonces and/or hashes within default-src is still unsupported as of Firefox 65. Is there a separate issue tracking this bug?

Sorry for the confusion - to answer your question, this is the right bug for tracking the issue that nonce is not supported in default-src. Unfortunately that bug is still in our backlog and I can't make any statements on when we will get to it.

As a workaround and also best practice you could place the nonce- within script-src.

Hi,

nonces and hashes within default-src are still unsupported in Firefox 84.

CSP: default-src 'sha256-sOq4p3/IUmdg10+FT4za4DO2/MDyaP9Aw+TRyl1Y09A='
blocks <script>alert(42)</script> although the hash matches.

CSP: default-src 'nonce-ABCDEF'
blocks <script nonce="ABCDEF">alert(42)</script> although the nonce is set.

However, unsafe-inline (i.e. CSP1) is supported in default-src:
CSP: default-src 'unsafe-inline'
does not block <script>alert(42)</script>; which is correct

Thus, it seems like default-src only lacks support for CSP2 as 'unsafe-inline' works and the general script-src fallback mechanism seems to be correct.

Test cases which can be executed on e.g. about:blank or http://example.com:
hash:
document.write(`<meta http-equiv="Content-Security-Policy" content="default-src 'sha256-sOq4p3/IUmdg10+FT4za4DO2/MDyaP9Aw+TRyl1Y09A='">`); document.write(`<script>alert(42)</script>`)

nonce:
document.write(`<meta http-equiv="Content-Security-Policy" content="default-src 'nonce-ABCDEF'">`); document.write(`<script nonce="ABCDEF">alert(42)</script>`)

unsafe-inline:
document.write(`<meta http-equiv="Content-Security-Policy" content="default-src 'unsafe-inline'">`); document.write(`<script>alert(42)</script>`)

Attached file default-nonce.html
Attached file default-hash.html

Attached (html) test cases for hashes, nonces and strict-dynamic usage in default-src

Hello, I have confirmed that this bug still exists in Firefox 95.

This bug looks serious. If a web developer sets CSP to default-src 'nonce-XXX' 'unsafe-inline' in order to ensure backward compatibility of browsers implementing CSP, and there is an XSS vulnerability in this web page, CSP is bypassed in Firefox and an attacker is able to execute arbitrary scripts.

I wonder why this serious bug hasn't been fixed even after more than 5 years. Wouldn't it be better to fix it quickly?

The issue is still present in Firefox 100.

This is quite annoying as the MDN doc (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src for instance) does not state this oddity as far as I can tell, and Firefox is the only browser that behaves this way.

Severity: normal → S3
See Also: → 1640128
Depends on: 1640128
See Also: 1640128
Duplicate of this bug: 1809605

The issue is still present in 102.7.0esr, shipped with Debian 11. Pages that rely on nonce in default-src break.

More recent versions seem to have this fixed.

You are right. I didn't title bug 1640128 (which landed in Firefox 109) correctly, but we actually added support for hashes and nonces in the default-src. 'strict-dynamic' is still unsupported in default-src.

Summary: CSP: Enforce 'strict-dynamic' and nonce within default-src → CSP: Enforce 'strict-dynamic' within default-src
Assignee: nobody → tschuster
Duplicate of this bug: 1840570
Depends on: 1627263

We currently don't initialize LoadInfo::mParserCreatedScript for pre-loads. And because mParserCreatedScript defaults to false, with 'strict-dynamic' we will just allow all preloads. We obviously need to fix this initialization, but I think we should also switch either the default value or change it to mNotParserCreatedScript to prevent future problems.

Type: defect → task
Attachment #9341919 - Attachment description: WIP: Bug 1313937 - CSP: Reimplemnt 'strict-dynamic' → WIP: Bug 1313937 - CSP: Reimplement 'strict-dynamic'
Depends on: 1843002
Attachment #9341918 - Attachment description: WIP: Bug 1313937 - CSP: Handle nonce from requests more explictly and closer to the spec. → Bug 1313937 - CSP: Handle nonce from requests more explictly and closer to the spec. r?freddyb
Attachment #9341919 - Attachment description: WIP: Bug 1313937 - CSP: Reimplement 'strict-dynamic' → Bug 1313937 - CSP: Reimplement 'strict-dynamic'. r?freddyb
Attachment #9341920 - Attachment description: WIP: Bug 1313937 - CSP: Remove aParserCreated → Bug 1313937 - CSP: Remove aParserCreated. r?freddyb
Duplicate of this bug: 1749153
Pushed by tschuster@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/affc7d1f130d CSP: Handle nonce from requests more explictly and closer to the spec. r=freddyb https://hg.mozilla.org/integration/autoland/rev/7cab9a1ea25f CSP: Reimplement 'strict-dynamic'. r=freddyb https://hg.mozilla.org/integration/autoland/rev/84c2d1c04aa2 CSP: Remove aParserCreated. r=freddyb

Backed out for causing build bustages in ScriptLoadRequest.h.

  • Backout link
  • Push with failures
  • Failure Log
  • Failure line: /builds/worker/workspace/obj-build/dist/include/js/loader/ScriptLoadRequest.h:302:3: error: declaration of 'JS::loader::ParserMetadata JS::loader::ScriptLoadRequest::ParserMetadata() const' [-fpermissive]
Flags: needinfo?(tschuster)
Flags: needinfo?(tschuster)
Pushed by tschuster@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/1f0568049823 CSP: Handle nonce from requests more explictly and closer to the spec. r=freddyb https://hg.mozilla.org/integration/autoland/rev/28cf03c9738a CSP: Reimplement 'strict-dynamic'. r=freddyb https://hg.mozilla.org/integration/autoland/rev/3c7aa15fc461 CSP: Remove aParserCreated. r=freddyb
Attachment #9342345 - Attachment description: WIP: Bug 1313937 - CSP: Logging improvements → Bug 1313937 - CSP: Logging improvements. r?ckerschb
Keywords: dev-doc-needed
Pushed by tschuster@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/a83224166a78 CSP: Logging improvements. r=ckerschb

Is this something we should call out in the Fx117 relnotes? Please nominate if so.

Flags: needinfo?(tschuster)

(In reply to Ryan VanderMeulen [:RyanVM] from comment #34)

Is this something we should call out in the Fx117 relnotes? Please nominate if so.

While involving a fair bit of implementation work, supporting 'strict-dynamic' in default-src: is more of a fringe feature that IMO doesn't need to be mentioned.

Flags: needinfo?(tschuster)

There's a GitHub issue for MDN documentation changes here: https://github.com/mdn/content/issues/28301

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: