CSP: Enforce 'strict-dynamic' within default-src
Categories
(Core :: DOM: Security, task, P3)
Tracking
()
Tracking | Status | |
---|---|---|
firefox117 | --- | fixed |
People
(Reporter: ckerschb, Assigned: tschuster)
References
(Blocks 1 open bug)
Details
(Keywords: dev-doc-complete, Whiteboard: [domsecurity-backlog1])
Attachments
(7 files)
197 bytes,
text/html
|
Details | |
221 bytes,
text/html
|
Details | |
353 bytes,
text/html
|
Details | |
48 bytes,
text/x-phabricator-request
|
Details | Review | |
48 bytes,
text/x-phabricator-request
|
Details | Review | |
48 bytes,
text/x-phabricator-request
|
Details | Review | |
48 bytes,
text/x-phabricator-request
|
Details | Review |
Reporter | ||
Updated•9 years ago
|
Reporter | ||
Updated•9 years ago
|
Comment 1•9 years ago
|
||
Comment 3•7 years ago
|
||
Reporter | ||
Comment 4•7 years ago
|
||
Comment 5•7 years ago
|
||
Reporter | ||
Comment 6•7 years ago
|
||
Comment 7•7 years ago
|
||
Comment 8•6 years ago
|
||
Hello,
I wanted to confirm that the use of nonces and/or hashes within default-src is still unsupported as of Firefox 65. Is there a separate issue tracking this bug? It has been very difficult to find information on, I have not been able to locate any documentation suggesting the default-src directive is not fully functional in FF.
Comment 9•6 years ago
|
||
Sorry, should have included this in my original comment. The CSP header I am working with is:
Content-Security-Policy: default-src 'self' 'nonce-aaAAbbBBccCCddDD'
And scripts with the appropriate nonce attribute are not firing.
Reporter | ||
Comment 10•6 years ago
|
||
I wanted to confirm that the use of nonces and/or hashes within default-src is still unsupported as of Firefox 65. Is there a separate issue tracking this bug?
Sorry for the confusion - to answer your question, this is the right bug for tracking the issue that nonce is not supported in default-src. Unfortunately that bug is still in our backlog and I can't make any statements on when we will get to it.
As a workaround and also best practice you could place the nonce- within script-src.
Comment 12•4 years ago
|
||
Hi,
nonces and hashes within default-src are still unsupported in Firefox 84.
CSP: default-src 'sha256-sOq4p3/IUmdg10+FT4za4DO2/MDyaP9Aw+TRyl1Y09A='
blocks <script>alert(42)</script>
although the hash matches.
CSP: default-src 'nonce-ABCDEF'
blocks <script nonce="ABCDEF">alert(42)</script>
although the nonce is set.
However, unsafe-inline (i.e. CSP1) is supported in default-src:
CSP: default-src 'unsafe-inline'
does not block <script>alert(42)</script>
; which is correct
Thus, it seems like default-src only lacks support for CSP2 as 'unsafe-inline' works and the general script-src fallback mechanism seems to be correct.
Test cases which can be executed on e.g. about:blank or http://example.com:
hash:
document.write(`<meta http-equiv="Content-Security-Policy" content="default-src 'sha256-sOq4p3/IUmdg10+FT4za4DO2/MDyaP9Aw+TRyl1Y09A='">`); document.write(`<script>alert(42)</script>`)
nonce:
document.write(`<meta http-equiv="Content-Security-Policy" content="default-src 'nonce-ABCDEF'">`); document.write(`<script nonce="ABCDEF">alert(42)</script>`)
unsafe-inline:
document.write(`<meta http-equiv="Content-Security-Policy" content="default-src 'unsafe-inline'">`); document.write(`<script>alert(42)</script>`)
Comment 13•4 years ago
|
||
Comment 14•4 years ago
|
||
Comment 15•4 years ago
|
||
Attached (html) test cases for hashes, nonces and strict-dynamic usage in default-src
Comment 16•3 years ago
|
||
Hello, I have confirmed that this bug still exists in Firefox 95.
This bug looks serious. If a web developer sets CSP to default-src 'nonce-XXX' 'unsafe-inline' in order to ensure backward compatibility of browsers implementing CSP, and there is an XSS vulnerability in this web page, CSP is bypassed in Firefox and an attacker is able to execute arbitrary scripts.
I wonder why this serious bug hasn't been fixed even after more than 5 years. Wouldn't it be better to fix it quickly?
Comment 17•3 years ago
|
||
The issue is still present in Firefox 100.
This is quite annoying as the MDN doc (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src for instance) does not state this oddity as far as I can tell, and Firefox is the only browser that behaves this way.
Updated•3 years ago
|
Assignee | ||
Updated•3 years ago
|
Comment 19•2 years ago
|
||
The issue is still present in 102.7.0esr, shipped with Debian 11. Pages that rely on nonce in default-src break.
More recent versions seem to have this fixed.
Assignee | ||
Comment 20•2 years ago
|
||
You are right. I didn't title bug 1640128 (which landed in Firefox 109) correctly, but we actually added support for hashes and nonces in the default-src. 'strict-dynamic' is still unsupported in default-src.
Assignee | ||
Updated•2 years ago
|
Comment 22•2 years ago
|
||
Comment 23•2 years ago
|
||
Depends on D182562
Comment 24•2 years ago
|
||
Depends on D182563
Assignee | ||
Comment 25•2 years ago
|
||
We currently don't initialize LoadInfo::mParserCreatedScript
for pre-loads. And because mParserCreatedScript
defaults to false, with 'strict-dynamic'
we will just allow all preloads. We obviously need to fix this initialization, but I think we should also switch either the default value or change it to mNotParserCreatedScript
to prevent future problems.
Assignee | ||
Updated•2 years ago
|
Comment 26•2 years ago
|
||
Updated•2 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Comment 28•2 years ago
|
||
Comment 29•2 years ago
|
||
Backed out for causing build bustages in ScriptLoadRequest.h.
- Backout link
- Push with failures
- Failure Log
- Failure line: /builds/worker/workspace/obj-build/dist/include/js/loader/ScriptLoadRequest.h:302:3: error: declaration of 'JS::loader::ParserMetadata JS::loader::ScriptLoadRequest::ParserMetadata() const' [-fpermissive]
Updated•2 years ago
|
Comment 30•2 years ago
|
||
Comment 31•2 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/1f0568049823
https://hg.mozilla.org/mozilla-central/rev/28cf03c9738a
https://hg.mozilla.org/mozilla-central/rev/3c7aa15fc461
Updated•2 years ago
|
Assignee | ||
Updated•2 years ago
|
Comment 32•2 years ago
|
||
Comment 33•2 years ago
|
||
bugherder |
Comment 34•2 years ago
|
||
Is this something we should call out in the Fx117 relnotes? Please nominate if so.
Assignee | ||
Comment 35•2 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM] from comment #34)
Is this something we should call out in the Fx117 relnotes? Please nominate if so.
While involving a fair bit of implementation work, supporting 'strict-dynamic'
in default-src:
is more of a fringe feature that IMO doesn't need to be mentioned.
Comment 36•2 years ago
|
||
There's a GitHub issue for MDN documentation changes here: https://github.com/mdn/content/issues/28301
Updated•2 years ago
|
Description
•