Clarify relationship between xml-stylesheet and script-src in CSP

RESOLVED INVALID

Status

()

RESOLVED INVALID
2 years ago
2 years ago

People

(Reporter: sirdarckcat, Unassigned)

Tracking

50 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

2 years ago
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0
Build ID: 20161209094039

Steps to reproduce:

See this PoC: https://sirdarckcat.github.io/csp/nonce.html


Actual results:

You see an alert(1).


Expected results:

A CSP warning probably should have shown up.
(Reporter)

Comment 1

2 years ago
To add more details..

It seems that for some reason, xml-stylesheet is governed by the script-src directive in CSP.

I don't understand *why*, but assuming that's working as intended, then when a 'nonce-random' is present, then you shouldn't allow any XML stylesheets to be loaded.
(Reporter)

Comment 2

2 years ago
Oh, actually. I'm wrong.

When 'nonce-random' is specified, then 'unsafe-inline' is ignored.. I got things mixed up.. sorry.
(Reporter)

Comment 4

2 years ago
I found https://bugzilla.mozilla.org/show_bug.cgi?id=910139
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → INVALID

Comment 5

2 years ago
Unmarking sec-sensitive per the comments.
Group: firefox-core-security
You need to log in before you can comment on or make changes to this bug.