We report inline style CSP violations that are coming from the HTML parser stream twice

NEW
Unassigned

Status

()

P3
normal
2 years ago
2 years ago

People

(Reporter: Ehsan, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [domsecurity-backlog2])

(Reporter)

Description

2 years ago
I found this when debugging bug 1324383.  See <view-source:https://people-mozilla.org/~eakhgari/csp-style-test/> for example.

The first violation is reported from here:

* thread #1: tid = 0x7c0f1, 0x000000010c8151a0 XUL`CSPReportSenderRunnable::CSPReportSenderRunnable(this=0x000000012b0c8040, aBlockedContentSource=0x0000000121b4c340, aOriginalURI=0x00000001296ee560, aViolatedPolicyIndex=0, aReportOnlyFlag=false, aViolatedDirective=u"default-src view-source://", aObserverSubject=u"Inline Style had invalid hash", aSourceFile=u"view-source:https://people-mozilla.org/~eakhgari/csp-style-test/", aScriptSample=u"-moz-tab-size: 4", aLineNum=0, aCSPContext=0x00000001296edc00) + 384 at nsCSPContext.cpp:1051, queue = 'com.apple.main-thread', stop reason = breakpoint 4.1
  * frame #0: 0x000000010c8151a0 XUL`CSPReportSenderRunnable::CSPReportSenderRunnable(this=0x000000012b0c8040, aBlockedContentSource=0x0000000121b4c340, aOriginalURI=0x00000001296ee560, aViolatedPolicyIndex=0, aReportOnlyFlag=false, aViolatedDirective=u"default-src view-source://", aObserverSubject=u"Inline Style had invalid hash", aSourceFile=u"view-source:https://people-mozilla.org/~eakhgari/csp-style-test/", aScriptSample=u"-moz-tab-size: 4", aLineNum=0, aCSPContext=0x00000001296edc00) + 384 at nsCSPContext.cpp:1051
    frame #1: 0x000000010c7fd58b XUL`CSPReportSenderRunnable::CSPReportSenderRunnable(this=0x000000012b0c8040, aBlockedContentSource=0x0000000121b4c340, aOriginalURI=0x00000001296ee560, aViolatedPolicyIndex=0, aReportOnlyFlag=false, aViolatedDirective=u"default-src view-source://", aObserverSubject=u"Inline Style had invalid hash", aSourceFile=u"view-source:https://people-mozilla.org/~eakhgari/csp-style-test/", aScriptSample=u"-moz-tab-size: 4", aLineNum=0, aCSPContext=0x00000001296edc00) + 171 at nsCSPContext.cpp:1050
    frame #2: 0x000000010c7f6e7b XUL`nsCSPContext::AsyncReportViolation(this=0x00000001296edc00, aBlockedContentSource=0x0000000121b4c340, aOriginalURI=0x00000001296ee560, aViolatedDirective=u"default-src view-source://", aViolatedPolicyIndex=0, aObserverSubject=u"Inline Style had invalid hash", aSourceFile=u"view-source:https://people-mozilla.org/~eakhgari/csp-style-test/", aScriptSample=u"-moz-tab-size: 4", aLineNum=0) + 331 at nsCSPContext.cpp:1165
    frame #3: 0x000000010c7f92f0 XUL`nsCSPContext::reportInlineViolation(this=0x00000001296edc00, aContentType=4, aNonce=u"", aContent=u"-moz-tab-size: 4", aViolatedDirective=u"default-src view-source://", aViolatedPolicyIndex=0, aLineNumber=0) + 1136 at nsCSPContext.cpp:473
    frame #4: 0x000000010c7f9682 XUL`nsCSPContext::GetAllowsInline(this=0x00000001296edc00, aContentType=4, aNonce=u"", aParserCreated=false, aContent=u"-moz-tab-size: 4", aLineNumber=0, outAllowsInline=0x00007fff578ee9a7) + 786 at nsCSPContext.cpp:517
    frame #5: 0x000000010d4c28ed XUL`nsStyleUtil::CSPAllowsInlineStyle(aContent=0x0000000000000000, aPrincipal=0x000000012224f1f0, aSourceURI=0x00000001296ee560, aLineNumber=0, aStyleText=u"-moz-tab-size: 4", aRv=0x0000000000000000) + 557 at nsStyleUtil.cpp:824
    frame #6: 0x000000010ab33dcc XUL`nsStyledElement::ParseStyleAttribute(this=0x00000001296ee240, aValue=u"-moz-tab-size: 4", aResult=0x00007fff578eed18, aForceInDataDoc=false) + 156 at nsStyledElement.cpp:156
    frame #7: 0x000000010ab33cd0 XUL`nsStyledElement::ParseAttribute(this=0x00000001296ee240, aNamespaceID=0, aAttribute=u"style", aValue=u"-moz-tab-size: 4", aResult=0x00007fff578eed18) + 96 at nsStyledElement.cpp:43
    frame #8: 0x000000010c13eacb XUL`nsGenericHTMLElement::ParseAttribute(this=0x00000001296ee240, aNamespaceID=0, aAttribute=u"style", aValue=u"-moz-tab-size: 4", aResult=0x00007fff578eed18) + 475 at nsGenericHTMLElement.cpp:942
    frame #9: 0x000000010c01e208 XUL`mozilla::dom::HTMLBodyElement::ParseAttribute(this=0x00000001296ee240, aNamespaceID=0, aAttribute=u"style", aValue=u"-moz-tab-size: 4", aResult=0x00007fff578eed18) + 392 at HTMLBodyElement.cpp:346
    frame #10: 0x000000010a8c6eb7 XUL`mozilla::dom::Element::SetAttr(this=0x00000001296ee240, aNamespaceID=0, aName=u"style", aPrefix=<parent is NULL>, aValue=u"-moz-tab-size: 4", aNotify=false) + 855 at Element.cpp:2384
    frame #11: 0x000000010c13e3bd XUL`nsGenericHTMLElement::SetAttr(this=0x00000001296ee240, aNameSpaceID=0, aName=u"style", aPrefix=<parent is NULL>, aValue=u"-moz-tab-size: 4", aNotify=false) + 253 at nsGenericHTMLElement.cpp:824
    frame #12: 0x0000000109fd180c XUL`nsHtml5TreeOperation::CreateElement(aNs=3, aName=u"body", aAttributes=0x00000001218de200, aFromParser=FROM_PARSER_NETWORK, aNodeInfoManager=0x0000000121882c40, aBuilder=0x0000000121971800) + 2604 at nsHtml5TreeOperation.cpp:435
    frame #13: 0x0000000109fd3661 XUL`nsHtml5TreeOperation::Perform(this=0x0000000121923248, aBuilder=0x0000000121971800, aScriptElement=0x00007fff578efbc0) + 1009 at nsHtml5TreeOperation.cpp:690
    frame #14: 0x0000000109fc7666 XUL`nsHtml5TreeOpExecutor::RunFlushLoop(this=0x0000000121971800) + 1270 at nsHtml5TreeOpExecutor.cpp:451
    frame #15: 0x0000000109fca4b1 XUL`nsHtml5ExecutorFlusher::Run(this=0x00000001218d9820) + 81 at nsHtml5StreamParser.cpp:128
    frame #16: 0x00000001089dd406 XUL`nsThread::ProcessNextEvent(this=0x000000011d50e1a0, aMayWait=false, aResult=0x00007fff578efde3) + 1254 at nsThread.cpp:1240
    frame #17: 0x0000000108a6bafc XUL`NS_ProcessPendingEvents(aThread=0x000000011d50e1a0, aTimeout=10) + 140 at nsThreadUtils.cpp:332
    frame #18: 0x000000010d0581be XUL`nsBaseAppShell::NativeEventCallback(this=0x000000011d5c9b80) + 190 at nsBaseAppShell.cpp:97
    frame #19: 0x000000010d0f43e2 XUL`nsAppShell::ProcessGeckoEvents(aInfo=0x000000011d5c9b80) + 498 at nsAppShell.mm:392
    frame #20: 0x00007fffb217d981 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
    frame #21: 0x00007fffb215ea7d CoreFoundation`__CFRunLoopDoSources0 + 557
    frame #22: 0x00007fffb215df76 CoreFoundation`__CFRunLoopRun + 934
    frame #23: 0x00007fffb215d974 CoreFoundation`CFRunLoopRunSpecific + 420
    frame #24: 0x00007fffb16e9acc HIToolbox`RunCurrentEventLoopInMode + 240
    frame #25: 0x00007fffb16e9901 HIToolbox`ReceiveNextEventCommon + 432
    frame #26: 0x00007fffb16e9736 HIToolbox`_BlockUntilNextEventMatchingListInModeWithFilter + 71
    frame #27: 0x00007fffafc8fae4 AppKit`_DPSNextEvent + 1120
    frame #28: 0x00007fffb040a21f AppKit`-[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 2789
    frame #29: 0x000000010d0f2f24 XUL`::-[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:](self=0x0000000121bb8e00, _cmd="nextEventMatchingMask:untilDate:inMode:dequeue:", mask=18446744073709551615, expiration=4001-01-01 00:00:00 UTC, mode="kCFRunLoopDefaultMode", flag=YES) + 116 at nsAppShell.mm:128
    frame #30: 0x00007fffafc84465 AppKit`-[NSApplication run] + 926
    frame #31: 0x000000010d0f4d8c XUL`nsAppShell::Run(this=0x000000011d5c9b80) + 172 at nsAppShell.mm:666
    frame #32: 0x000000010e76a325 XUL`XRE_RunAppShell() + 325 at nsEmbedFunctions.cpp:927
    frame #33: 0x0000000109404b1b XUL`mozilla::ipc::MessagePumpForChildProcess::Run(this=0x000000011d533f60, aDelegate=0x00007fff578f1ad0) + 187 at MessagePump.cpp:269
    frame #34: 0x0000000109301755 XUL`MessageLoop::RunInternal(this=0x00007fff578f1ad0) + 117 at message_loop.cc:238
    frame #35: 0x00000001093016b5 XUL`MessageLoop::RunHandler(this=0x00007fff578f1ad0) + 21 at message_loop.cc:231
    frame #36: 0x000000010930165d XUL`MessageLoop::Run(this=0x00007fff578f1ad0) + 45 at message_loop.cc:211
    frame #37: 0x000000010e769a1e XUL`XRE_InitChildProcess(aArgc=5, aArgv=0x00007fff578f1da0, aChildData=0x00007fff578f1d28) + 4334 at nsEmbedFunctions.cpp:759
    frame #38: 0x000000010e778657 XUL`mozilla::BootstrapImpl::XRE_InitChildProcess(this=0x000000011d5150d0, argc=8, argv=0x00007fff578f1da0, aChildData=0x00007fff578f1d28) + 39 at Bootstrap.cpp:65
    frame #39: 0x00000001083100c9 plugin-container`content_process_main(bootstrap=0x000000011d5150d0, argc=8, argv=0x00007fff578f1da0) + 217 at plugin-container.cpp:115
    frame #40: 0x0000000108310247 plugin-container`main(argc=9, argv=0x00007fff578f1da0) + 103 at MozillaRuntimeMain.cpp:26
    frame #41: 0x00007fffc76b6255 libdyld.dylib`start + 1

The second violation is reported here:
* thread #1: tid = 0x89a47, 0x00000001134c31a0 XUL`CSPReportSenderRunnable::CSPReportSenderRunnable(this=0x000000010e11ba60, aBlockedContentSource=0x00000001064f9bb0, aOriginalURI=0x0000000108f8f240, aViolatedPolicyIndex=0, aReportOnlyFlag=false, aViolatedDirective=u"default-src view-source://:1", aObserverSubject=u"Inline Style had invalid hash", aSourceFile=u"view-source:https://people-mozilla.org/~eakhgari/csp-style-test/", aScriptSample=u"", aLineNum=0, aCSPContext=0x0000000105144380) + 384 at nsCSPContext.cpp:1051, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
  * frame #0: 0x00000001134c31a0 XUL`CSPReportSenderRunnable::CSPReportSenderRunnable(this=0x000000010e11ba60, aBlockedContentSource=0x00000001064f9bb0, aOriginalURI=0x0000000108f8f240, aViolatedPolicyIndex=0, aReportOnlyFlag=false, aViolatedDirective=u"default-src view-source://:1", aObserverSubject=u"Inline Style had invalid hash", aSourceFile=u"view-source:https://people-mozilla.org/~eakhgari/csp-style-test/", aScriptSample=u"", aLineNum=0, aCSPContext=0x0000000105144380) + 384 at nsCSPContext.cpp:1051
    frame #1: 0x00000001134ab58b XUL`CSPReportSenderRunnable::CSPReportSenderRunnable(this=0x000000010e11ba60, aBlockedContentSource=0x00000001064f9bb0, aOriginalURI=0x0000000108f8f240, aViolatedPolicyIndex=0, aReportOnlyFlag=false, aViolatedDirective=u"default-src view-source://:1", aObserverSubject=u"Inline Style had invalid hash", aSourceFile=u"view-source:https://people-mozilla.org/~eakhgari/csp-style-test/", aScriptSample=u"", aLineNum=0, aCSPContext=0x0000000105144380) + 171 at nsCSPContext.cpp:1050
    frame #2: 0x00000001134a4e7b XUL`nsCSPContext::AsyncReportViolation(this=0x0000000105144380, aBlockedContentSource=0x00000001064f9bb0, aOriginalURI=0x0000000108f8f240, aViolatedDirective=u"default-src view-source://:1", aViolatedPolicyIndex=0, aObserverSubject=u"Inline Style had invalid hash", aSourceFile=u"view-source:https://people-mozilla.org/~eakhgari/csp-style-test/", aScriptSample=u"", aLineNum=0) + 331 at nsCSPContext.cpp:1165
    frame #3: 0x00000001134a72f0 XUL`nsCSPContext::reportInlineViolation(this=0x0000000105144380, aContentType=4, aNonce=u"", aContent=u"", aViolatedDirective=u"default-src view-source://:1", aViolatedPolicyIndex=0, aLineNumber=0) + 1136 at nsCSPContext.cpp:473
    frame #4: 0x00000001134a7682 XUL`nsCSPContext::GetAllowsInline(this=0x0000000105144380, aContentType=4, aNonce=u"", aParserCreated=false, aContent=u"", aLineNumber=0, outAllowsInline=0x00007fff5e272a57) + 786 at nsCSPContext.cpp:517
    frame #5: 0x00000001141708ed XUL`nsStyleUtil::CSPAllowsInlineStyle(aContent=0x0000000000000000, aPrincipal=0x000000010672d8b0, aSourceURI=0x0000000108f8f240, aLineNumber=0, aStyleText=u"", aRv=0x0000000000000000) + 557 at nsStyleUtil.cpp:824
    frame #6: 0x00000001117e1dcc XUL`nsStyledElement::ParseStyleAttribute(this=0x00000001051446a0, aValue=u"", aResult=0x00007fff5e272d48, aForceInDataDoc=false) + 156 at nsStyledElement.cpp:156
    frame #7: 0x00000001117e23ba XUL`nsStyledElement::ReparseStyleAttribute(this=0x00000001051446a0, aForceInDataDoc=false) + 218 at nsStyledElement.cpp:126
    frame #8: 0x0000000111572259 XUL`mozilla::dom::Element::BindToTree(this=0x00000001051446a0, aDocument=0x0000000106723000, aParent=0x000000010210be20, aBindingParent=0x0000000000000000, aCompileEventHandlers=true) + 3881 at Element.cpp:1716
    frame #9: 0x0000000112de9de6 XUL`nsGenericHTMLElement::BindToTree(this=0x00000001051446a0, aDocument=0x0000000106723000, aParent=0x000000010210be20, aBindingParent=0x0000000000000000, aCompileEventHandlers=true) + 86 at nsGenericHTMLElement.cpp:475
    frame #10: 0x0000000111770f4e XUL`nsINode::doInsertChildAt(this=0x000000010210be20, aKid=0x00000001051446a0, aIndex=1, aNotify=false, aChildArray=0x000000010210be90) + 1150 at nsINode.cpp:1613
    frame #11: 0x00000001115904b8 XUL`mozilla::dom::FragmentOrElement::InsertChildAt(this=0x000000010210be20, aKid=0x00000001051446a0, aIndex=1, aNotify=false) + 136 at FragmentOrElement.cpp:1148
    frame #12: 0x0000000110c7e09f XUL`nsINode::AppendChildTo(this=0x000000010210be20, aKid=0x00000001051446a0, aNotify=false) + 95 at nsINode.h:718
    frame #13: 0x0000000110c7df98 XUL`nsHtml5TreeOperation::Append(aNode=0x00000001051446a0, aParent=0x000000010210be20, aBuilder=0x000000010649bc00) + 312 at nsHtml5TreeOperation.cpp:181
    frame #14: 0x0000000110c81358 XUL`nsHtml5TreeOperation::Perform(this=0x00000001065c7278, aBuilder=0x000000010649bc00, aScriptElement=0x00007fff5e273bb0) + 232 at nsHtml5TreeOperation.cpp:645
    frame #15: 0x0000000110c75666 XUL`nsHtml5TreeOpExecutor::RunFlushLoop(this=0x000000010649bc00) + 1270 at nsHtml5TreeOpExecutor.cpp:451
    frame #16: 0x0000000110c784b1 XUL`nsHtml5ExecutorFlusher::Run(this=0x0000000105141460) + 81 at nsHtml5StreamParser.cpp:128
    frame #17: 0x000000010f68b406 XUL`nsThread::ProcessNextEvent(this=0x000000010210e1a0, aMayWait=false, aResult=0x00007fff5e273dd3) + 1254 at nsThread.cpp:1240
    frame #18: 0x000000010f719afc XUL`NS_ProcessPendingEvents(aThread=0x000000010210e1a0, aTimeout=10) + 140 at nsThreadUtils.cpp:332
    frame #19: 0x0000000113d061be XUL`nsBaseAppShell::NativeEventCallback(this=0x00000001021bfb80) + 190 at nsBaseAppShell.cpp:97
    frame #20: 0x0000000113da23e2 XUL`nsAppShell::ProcessGeckoEvents(aInfo=0x00000001021bfb80) + 498 at nsAppShell.mm:392
    frame #21: 0x00007fffb217d981 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
    frame #22: 0x00007fffb215ea7d CoreFoundation`__CFRunLoopDoSources0 + 557
    frame #23: 0x00007fffb215df76 CoreFoundation`__CFRunLoopRun + 934
    frame #24: 0x00007fffb215d974 CoreFoundation`CFRunLoopRunSpecific + 420
    frame #25: 0x00007fffb16e9acc HIToolbox`RunCurrentEventLoopInMode + 240
    frame #26: 0x00007fffb16e9901 HIToolbox`ReceiveNextEventCommon + 432
    frame #27: 0x00007fffb16e9736 HIToolbox`_BlockUntilNextEventMatchingListInModeWithFilter + 71
    frame #28: 0x00007fffafc8fae4 AppKit`_DPSNextEvent + 1120
    frame #29: 0x00007fffb040a21f AppKit`-[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 2789
    frame #30: 0x0000000113da0f24 XUL`::-[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:](self=0x000000010672ce00, _cmd="nextEventMatchingMask:untilDate:inMode:dequeue:", mask=18446744073709551615, expiration=4001-01-01 00:00:00 UTC, mode="kCFRunLoopDefaultMode", flag=YES) + 116 at nsAppShell.mm:128
    frame #31: 0x00007fffafc84465 AppKit`-[NSApplication run] + 926
    frame #32: 0x0000000113da2d8c XUL`nsAppShell::Run(this=0x00000001021bfb80) + 172 at nsAppShell.mm:666
    frame #33: 0x0000000115418325 XUL`XRE_RunAppShell() + 325 at nsEmbedFunctions.cpp:927
    frame #34: 0x00000001100b2b1b XUL`mozilla::ipc::MessagePumpForChildProcess::Run(this=0x0000000102133f60, aDelegate=0x00007fff5e275ac0) + 187 at MessagePump.cpp:269
    frame #35: 0x000000010ffaf755 XUL`MessageLoop::RunInternal(this=0x00007fff5e275ac0) + 117 at message_loop.cc:238
    frame #36: 0x000000010ffaf6b5 XUL`MessageLoop::RunHandler(this=0x00007fff5e275ac0) + 21 at message_loop.cc:231
    frame #37: 0x000000010ffaf65d XUL`MessageLoop::Run(this=0x00007fff5e275ac0) + 45 at message_loop.cc:211
    frame #38: 0x0000000115417a1e XUL`XRE_InitChildProcess(aArgc=5, aArgv=0x00007fff5e275d98, aChildData=0x00007fff5e275d18) + 4334 at nsEmbedFunctions.cpp:759
    frame #39: 0x0000000115426657 XUL`mozilla::BootstrapImpl::XRE_InitChildProcess(this=0x00000001021150d0, argc=8, argv=0x00007fff5e275d98, aChildData=0x00007fff5e275d18) + 39 at Bootstrap.cpp:65
    frame #40: 0x000000010198c0c9 plugin-container`content_process_main(bootstrap=0x00000001021150d0, argc=8, argv=0x00007fff5e275d98) + 217 at plugin-container.cpp:115
    frame #41: 0x000000010198c247 plugin-container`main(argc=9, argv=0x00007fff5e275d98) + 103 at MozillaRuntimeMain.cpp:26
    frame #42: 0x00007fffc76b6255 libdyld.dylib`start + 1
    frame #43: 0x00007fffc76b6255 libdyld.dylib`start + 1
Component: Security → DOM: Security
Priority: -- → P3
Whiteboard: [domsecurity-backlog2]
You need to log in before you can comment on or make changes to this bug.