If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Clarify relationship between xml-stylesheet and script-src in CSP

RESOLVED INVALID

Status

()

Firefox
Untriaged
RESOLVED INVALID
9 months ago
9 months ago

People

(Reporter: Eduardo Vela N, Unassigned)

Tracking

50 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

9 months ago
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0
Build ID: 20161209094039

Steps to reproduce:

See this PoC: https://sirdarckcat.github.io/csp/nonce.html


Actual results:

You see an alert(1).


Expected results:

A CSP warning probably should have shown up.
(Reporter)

Comment 1

9 months ago
To add more details..

It seems that for some reason, xml-stylesheet is governed by the script-src directive in CSP.

I don't understand *why*, but assuming that's working as intended, then when a 'nonce-random' is present, then you shouldn't allow any XML stylesheets to be loaded.
(Reporter)

Comment 2

9 months ago
Oh, actually. I'm wrong.

When 'nonce-random' is specified, then 'unsafe-inline' is ignored.. I got things mixed up.. sorry.
(Reporter)

Comment 3

9 months ago
OK, I'm honestly confused about what is supposed to happen..

Why does this trigger a script-src CSP warning?

http://evilwebsite.com/xss.php?nofil&http_xss=content-security-policy:object-src%20%27none%27;script-src%20%27nonce-random%27%20%27unsafe-inline%27%20%27unsafe-eval%27;&plain_xss=%3Ciframe%20src=%27data:text/xml,%3C?xml%20version=%221.0%22?%3E%20%3C?xml-stylesheet%20href=%22https://sirdarckcat.github.io/csp/xslt.xml%22%20type=%22text/xsl%22?%3E%3Ca%3E%3C/a%3E%27%3E%3C/iframe%3E

And where would someone add a nonce here.
(Reporter)

Comment 4

9 months ago
I found https://bugzilla.mozilla.org/show_bug.cgi?id=910139
Status: UNCONFIRMED → RESOLVED
Last Resolved: 9 months ago
Resolution: --- → INVALID

Comment 5

9 months ago
Unmarking sec-sensitive per the comments.
Group: firefox-core-security
You need to log in before you can comment on or make changes to this bug.