CSP: Enforce 'strict-dynamic' within default-src
Categories
(Core :: DOM: Security, task, P3)
Tracking
()
Tracking | Status | |
---|---|---|
firefox117 | --- | fixed |
People
(Reporter: ckerschb, Assigned: tschuster)
References
(Blocks 1 open bug)
Details
(Keywords: dev-doc-complete, Whiteboard: [domsecurity-backlog1])
Attachments
(7 files)
197 bytes,
text/html
|
Details | |
221 bytes,
text/html
|
Details | |
353 bytes,
text/html
|
Details | |
48 bytes,
text/x-phabricator-request
|
Details | Review | |
48 bytes,
text/x-phabricator-request
|
Details | Review | |
48 bytes,
text/x-phabricator-request
|
Details | Review | |
48 bytes,
text/x-phabricator-request
|
Details | Review |
CSP spec allows 'strict-dynamic' not only to appear within script-src, but also within default-src. To be spec compliant we should fix that.
Reporter | ||
Updated•7 years ago
|
Reporter | ||
Updated•7 years ago
|
Comment 1•7 years ago
|
||
Also nonce and hash are honored in default-src (if no script-src), as implied by Christoph's summary change.
Comment 3•6 years ago
|
||
Hi all, I can see that this problem with 'strict-dynamic', nonces and hashes in default-src was already discussed here a year ago. I just want to tell that the problem is still there, at least in Firefox 57 on Fedora. Here is my CSP: default-src 'strict-dynamic' 'nonce-IJAuBi0Jw3E9oKVtziojOEWv3'; Scripts with the right nonce are not executed. I guess that Firefox do not use default-src as a fallback for the missing script-src directive. Regarding 'strict-dynamic', I get a warning that it is simply ignored by Firefox.
Reporter | ||
Comment 4•6 years ago
|
||
(In reply to Dolière Francis SOME from comment #3) > I just want to tell that the problem is still there, at least in Firefox 57 > on Fedora. Yeah, I know. Unfortunately it's still in our backlog. If you are interested in contributing to the project I am happy to provide some guidance for this bug. Thanks!
Comment 5•6 years ago
|
||
Thanks for the quick answer ! Yeah, please let me know how one can contribute to the project. I am willing to help if I can.
Reporter | ||
Comment 6•6 years ago
|
||
Firefox already enforces strict-dynamic within script-src, so you could query for CSP_STRICT_DYNAMIC within dom/security/ and apply similar enforcement strategies as we already have in place for script-src. First you will have to change nsCSPParser.cpp to account for strict-dynamic within default-src, then you have to update nsCSPUtils.cpp to actually enforce strict-dynamic within default-src. Let me know if you get stuck somewhere - thanks!
Comment 7•6 years ago
|
||
Thanks for the guidelines !
Comment 8•5 years ago
|
||
Hello,
I wanted to confirm that the use of nonces and/or hashes within default-src is still unsupported as of Firefox 65. Is there a separate issue tracking this bug? It has been very difficult to find information on, I have not been able to locate any documentation suggesting the default-src directive is not fully functional in FF.
Comment 9•5 years ago
|
||
Sorry, should have included this in my original comment. The CSP header I am working with is:
Content-Security-Policy: default-src 'self' 'nonce-aaAAbbBBccCCddDD'
And scripts with the appropriate nonce attribute are not firing.
Reporter | ||
Comment 10•5 years ago
|
||
I wanted to confirm that the use of nonces and/or hashes within default-src is still unsupported as of Firefox 65. Is there a separate issue tracking this bug?
Sorry for the confusion - to answer your question, this is the right bug for tracking the issue that nonce is not supported in default-src. Unfortunately that bug is still in our backlog and I can't make any statements on when we will get to it.
As a workaround and also best practice you could place the nonce- within script-src.
Comment 12•3 years ago
|
||
Hi,
nonces and hashes within default-src are still unsupported in Firefox 84.
CSP: default-src 'sha256-sOq4p3/IUmdg10+FT4za4DO2/MDyaP9Aw+TRyl1Y09A='
blocks <script>alert(42)</script>
although the hash matches.
CSP: default-src 'nonce-ABCDEF'
blocks <script nonce="ABCDEF">alert(42)</script>
although the nonce is set.
However, unsafe-inline (i.e. CSP1) is supported in default-src:
CSP: default-src 'unsafe-inline'
does not block <script>alert(42)</script>
; which is correct
Thus, it seems like default-src only lacks support for CSP2 as 'unsafe-inline' works and the general script-src fallback mechanism seems to be correct.
Test cases which can be executed on e.g. about:blank or http://example.com:
hash:
document.write(`<meta http-equiv="Content-Security-Policy" content="default-src 'sha256-sOq4p3/IUmdg10+FT4za4DO2/MDyaP9Aw+TRyl1Y09A='">`); document.write(`<script>alert(42)</script>`)
nonce:
document.write(`<meta http-equiv="Content-Security-Policy" content="default-src 'nonce-ABCDEF'">`); document.write(`<script nonce="ABCDEF">alert(42)</script>`)
unsafe-inline:
document.write(`<meta http-equiv="Content-Security-Policy" content="default-src 'unsafe-inline'">`); document.write(`<script>alert(42)</script>`)
Comment 13•3 years ago
|
||
Comment 14•3 years ago
|
||
Comment 15•3 years ago
|
||
Attached (html) test cases for hashes, nonces and strict-dynamic usage in default-src
Comment 16•2 years ago
|
||
Hello, I have confirmed that this bug still exists in Firefox 95.
This bug looks serious. If a web developer sets CSP to default-src 'nonce-XXX' 'unsafe-inline' in order to ensure backward compatibility of browsers implementing CSP, and there is an XSS vulnerability in this web page, CSP is bypassed in Firefox and an attacker is able to execute arbitrary scripts.
I wonder why this serious bug hasn't been fixed even after more than 5 years. Wouldn't it be better to fix it quickly?
Comment 17•2 years ago
|
||
The issue is still present in Firefox 100.
This is quite annoying as the MDN doc (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src for instance) does not state this oddity as far as I can tell, and Firefox is the only browser that behaves this way.
Updated•1 year ago
|
Assignee | ||
Updated•1 year ago
|
Comment 19•9 months ago
|
||
The issue is still present in 102.7.0esr, shipped with Debian 11. Pages that rely on nonce in default-src break.
More recent versions seem to have this fixed.
Assignee | ||
Comment 20•9 months ago
|
||
You are right. I didn't title bug 1640128 (which landed in Firefox 109) correctly, but we actually added support for hashes and nonces in the default-src. 'strict-dynamic' is still unsupported in default-src.
Assignee | ||
Updated•6 months ago
|
Comment 22•5 months ago
|
||
Comment 23•5 months ago
|
||
Depends on D182562
Comment 24•5 months ago
|
||
Depends on D182563
Assignee | ||
Comment 25•5 months ago
|
||
We currently don't initialize LoadInfo::mParserCreatedScript
for pre-loads. And because mParserCreatedScript
defaults to false, with 'strict-dynamic'
we will just allow all preloads. We obviously need to fix this initialization, but I think we should also switch either the default value or change it to mNotParserCreatedScript
to prevent future problems.
Assignee | ||
Updated•5 months ago
|
Comment 26•5 months ago
|
||
Updated•5 months ago
|
Updated•5 months ago
|
Updated•5 months ago
|
Updated•5 months ago
|
Comment 28•5 months ago
|
||
Pushed by tschuster@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/affc7d1f130d CSP: Handle nonce from requests more explictly and closer to the spec. r=freddyb https://hg.mozilla.org/integration/autoland/rev/7cab9a1ea25f CSP: Reimplement 'strict-dynamic'. r=freddyb https://hg.mozilla.org/integration/autoland/rev/84c2d1c04aa2 CSP: Remove aParserCreated. r=freddyb
Comment 29•5 months ago
|
||
Backed out for causing build bustages in ScriptLoadRequest.h.
- Backout link
- Push with failures
- Failure Log
- Failure line: /builds/worker/workspace/obj-build/dist/include/js/loader/ScriptLoadRequest.h:302:3: error: declaration of 'JS::loader::ParserMetadata JS::loader::ScriptLoadRequest::ParserMetadata() const' [-fpermissive]
Updated•5 months ago
|
Comment 30•5 months ago
|
||
Pushed by tschuster@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/1f0568049823 CSP: Handle nonce from requests more explictly and closer to the spec. r=freddyb https://hg.mozilla.org/integration/autoland/rev/28cf03c9738a CSP: Reimplement 'strict-dynamic'. r=freddyb https://hg.mozilla.org/integration/autoland/rev/3c7aa15fc461 CSP: Remove aParserCreated. r=freddyb
Comment 31•5 months ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/1f0568049823
https://hg.mozilla.org/mozilla-central/rev/28cf03c9738a
https://hg.mozilla.org/mozilla-central/rev/3c7aa15fc461
Updated•5 months ago
|
Assignee | ||
Updated•5 months ago
|
Comment 32•5 months ago
|
||
Pushed by tschuster@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/a83224166a78 CSP: Logging improvements. r=ckerschb
Comment 33•5 months ago
|
||
bugherder |
Comment 34•5 months ago
|
||
Is this something we should call out in the Fx117 relnotes? Please nominate if so.
Assignee | ||
Comment 35•5 months ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM] from comment #34)
Is this something we should call out in the Fx117 relnotes? Please nominate if so.
While involving a fair bit of implementation work, supporting 'strict-dynamic'
in default-src:
is more of a fringe feature that IMO doesn't need to be mentioned.
Comment 36•4 months ago
|
||
There's a GitHub issue for MDN documentation changes here: https://github.com/mdn/content/issues/28301
Updated•4 months ago
|
Description
•