Open
Bug 1333617
Opened 8 years ago
Updated 2 years ago
We report inline style CSP violations that are coming from the HTML parser stream twice
Categories
(Core :: DOM: Security, defect, P3)
Core
DOM: Security
Tracking
()
NEW
People
(Reporter: ehsan.akhgari, Unassigned)
Details
(Whiteboard: [domsecurity-backlog2])
I found this when debugging bug 1324383. See <view-source:https://people-mozilla.org/~eakhgari/csp-style-test/> for example.
The first violation is reported from here:
* thread #1: tid = 0x7c0f1, 0x000000010c8151a0 XUL`CSPReportSenderRunnable::CSPReportSenderRunnable(this=0x000000012b0c8040, aBlockedContentSource=0x0000000121b4c340, aOriginalURI=0x00000001296ee560, aViolatedPolicyIndex=0, aReportOnlyFlag=false, aViolatedDirective=u"default-src view-source://", aObserverSubject=u"Inline Style had invalid hash", aSourceFile=u"view-source:https://people-mozilla.org/~eakhgari/csp-style-test/", aScriptSample=u"-moz-tab-size: 4", aLineNum=0, aCSPContext=0x00000001296edc00) + 384 at nsCSPContext.cpp:1051, queue = 'com.apple.main-thread', stop reason = breakpoint 4.1
* frame #0: 0x000000010c8151a0 XUL`CSPReportSenderRunnable::CSPReportSenderRunnable(this=0x000000012b0c8040, aBlockedContentSource=0x0000000121b4c340, aOriginalURI=0x00000001296ee560, aViolatedPolicyIndex=0, aReportOnlyFlag=false, aViolatedDirective=u"default-src view-source://", aObserverSubject=u"Inline Style had invalid hash", aSourceFile=u"view-source:https://people-mozilla.org/~eakhgari/csp-style-test/", aScriptSample=u"-moz-tab-size: 4", aLineNum=0, aCSPContext=0x00000001296edc00) + 384 at nsCSPContext.cpp:1051
frame #1: 0x000000010c7fd58b XUL`CSPReportSenderRunnable::CSPReportSenderRunnable(this=0x000000012b0c8040, aBlockedContentSource=0x0000000121b4c340, aOriginalURI=0x00000001296ee560, aViolatedPolicyIndex=0, aReportOnlyFlag=false, aViolatedDirective=u"default-src view-source://", aObserverSubject=u"Inline Style had invalid hash", aSourceFile=u"view-source:https://people-mozilla.org/~eakhgari/csp-style-test/", aScriptSample=u"-moz-tab-size: 4", aLineNum=0, aCSPContext=0x00000001296edc00) + 171 at nsCSPContext.cpp:1050
frame #2: 0x000000010c7f6e7b XUL`nsCSPContext::AsyncReportViolation(this=0x00000001296edc00, aBlockedContentSource=0x0000000121b4c340, aOriginalURI=0x00000001296ee560, aViolatedDirective=u"default-src view-source://", aViolatedPolicyIndex=0, aObserverSubject=u"Inline Style had invalid hash", aSourceFile=u"view-source:https://people-mozilla.org/~eakhgari/csp-style-test/", aScriptSample=u"-moz-tab-size: 4", aLineNum=0) + 331 at nsCSPContext.cpp:1165
frame #3: 0x000000010c7f92f0 XUL`nsCSPContext::reportInlineViolation(this=0x00000001296edc00, aContentType=4, aNonce=u"", aContent=u"-moz-tab-size: 4", aViolatedDirective=u"default-src view-source://", aViolatedPolicyIndex=0, aLineNumber=0) + 1136 at nsCSPContext.cpp:473
frame #4: 0x000000010c7f9682 XUL`nsCSPContext::GetAllowsInline(this=0x00000001296edc00, aContentType=4, aNonce=u"", aParserCreated=false, aContent=u"-moz-tab-size: 4", aLineNumber=0, outAllowsInline=0x00007fff578ee9a7) + 786 at nsCSPContext.cpp:517
frame #5: 0x000000010d4c28ed XUL`nsStyleUtil::CSPAllowsInlineStyle(aContent=0x0000000000000000, aPrincipal=0x000000012224f1f0, aSourceURI=0x00000001296ee560, aLineNumber=0, aStyleText=u"-moz-tab-size: 4", aRv=0x0000000000000000) + 557 at nsStyleUtil.cpp:824
frame #6: 0x000000010ab33dcc XUL`nsStyledElement::ParseStyleAttribute(this=0x00000001296ee240, aValue=u"-moz-tab-size: 4", aResult=0x00007fff578eed18, aForceInDataDoc=false) + 156 at nsStyledElement.cpp:156
frame #7: 0x000000010ab33cd0 XUL`nsStyledElement::ParseAttribute(this=0x00000001296ee240, aNamespaceID=0, aAttribute=u"style", aValue=u"-moz-tab-size: 4", aResult=0x00007fff578eed18) + 96 at nsStyledElement.cpp:43
frame #8: 0x000000010c13eacb XUL`nsGenericHTMLElement::ParseAttribute(this=0x00000001296ee240, aNamespaceID=0, aAttribute=u"style", aValue=u"-moz-tab-size: 4", aResult=0x00007fff578eed18) + 475 at nsGenericHTMLElement.cpp:942
frame #9: 0x000000010c01e208 XUL`mozilla::dom::HTMLBodyElement::ParseAttribute(this=0x00000001296ee240, aNamespaceID=0, aAttribute=u"style", aValue=u"-moz-tab-size: 4", aResult=0x00007fff578eed18) + 392 at HTMLBodyElement.cpp:346
frame #10: 0x000000010a8c6eb7 XUL`mozilla::dom::Element::SetAttr(this=0x00000001296ee240, aNamespaceID=0, aName=u"style", aPrefix=<parent is NULL>, aValue=u"-moz-tab-size: 4", aNotify=false) + 855 at Element.cpp:2384
frame #11: 0x000000010c13e3bd XUL`nsGenericHTMLElement::SetAttr(this=0x00000001296ee240, aNameSpaceID=0, aName=u"style", aPrefix=<parent is NULL>, aValue=u"-moz-tab-size: 4", aNotify=false) + 253 at nsGenericHTMLElement.cpp:824
frame #12: 0x0000000109fd180c XUL`nsHtml5TreeOperation::CreateElement(aNs=3, aName=u"body", aAttributes=0x00000001218de200, aFromParser=FROM_PARSER_NETWORK, aNodeInfoManager=0x0000000121882c40, aBuilder=0x0000000121971800) + 2604 at nsHtml5TreeOperation.cpp:435
frame #13: 0x0000000109fd3661 XUL`nsHtml5TreeOperation::Perform(this=0x0000000121923248, aBuilder=0x0000000121971800, aScriptElement=0x00007fff578efbc0) + 1009 at nsHtml5TreeOperation.cpp:690
frame #14: 0x0000000109fc7666 XUL`nsHtml5TreeOpExecutor::RunFlushLoop(this=0x0000000121971800) + 1270 at nsHtml5TreeOpExecutor.cpp:451
frame #15: 0x0000000109fca4b1 XUL`nsHtml5ExecutorFlusher::Run(this=0x00000001218d9820) + 81 at nsHtml5StreamParser.cpp:128
frame #16: 0x00000001089dd406 XUL`nsThread::ProcessNextEvent(this=0x000000011d50e1a0, aMayWait=false, aResult=0x00007fff578efde3) + 1254 at nsThread.cpp:1240
frame #17: 0x0000000108a6bafc XUL`NS_ProcessPendingEvents(aThread=0x000000011d50e1a0, aTimeout=10) + 140 at nsThreadUtils.cpp:332
frame #18: 0x000000010d0581be XUL`nsBaseAppShell::NativeEventCallback(this=0x000000011d5c9b80) + 190 at nsBaseAppShell.cpp:97
frame #19: 0x000000010d0f43e2 XUL`nsAppShell::ProcessGeckoEvents(aInfo=0x000000011d5c9b80) + 498 at nsAppShell.mm:392
frame #20: 0x00007fffb217d981 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
frame #21: 0x00007fffb215ea7d CoreFoundation`__CFRunLoopDoSources0 + 557
frame #22: 0x00007fffb215df76 CoreFoundation`__CFRunLoopRun + 934
frame #23: 0x00007fffb215d974 CoreFoundation`CFRunLoopRunSpecific + 420
frame #24: 0x00007fffb16e9acc HIToolbox`RunCurrentEventLoopInMode + 240
frame #25: 0x00007fffb16e9901 HIToolbox`ReceiveNextEventCommon + 432
frame #26: 0x00007fffb16e9736 HIToolbox`_BlockUntilNextEventMatchingListInModeWithFilter + 71
frame #27: 0x00007fffafc8fae4 AppKit`_DPSNextEvent + 1120
frame #28: 0x00007fffb040a21f AppKit`-[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 2789
frame #29: 0x000000010d0f2f24 XUL`::-[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:](self=0x0000000121bb8e00, _cmd="nextEventMatchingMask:untilDate:inMode:dequeue:", mask=18446744073709551615, expiration=4001-01-01 00:00:00 UTC, mode="kCFRunLoopDefaultMode", flag=YES) + 116 at nsAppShell.mm:128
frame #30: 0x00007fffafc84465 AppKit`-[NSApplication run] + 926
frame #31: 0x000000010d0f4d8c XUL`nsAppShell::Run(this=0x000000011d5c9b80) + 172 at nsAppShell.mm:666
frame #32: 0x000000010e76a325 XUL`XRE_RunAppShell() + 325 at nsEmbedFunctions.cpp:927
frame #33: 0x0000000109404b1b XUL`mozilla::ipc::MessagePumpForChildProcess::Run(this=0x000000011d533f60, aDelegate=0x00007fff578f1ad0) + 187 at MessagePump.cpp:269
frame #34: 0x0000000109301755 XUL`MessageLoop::RunInternal(this=0x00007fff578f1ad0) + 117 at message_loop.cc:238
frame #35: 0x00000001093016b5 XUL`MessageLoop::RunHandler(this=0x00007fff578f1ad0) + 21 at message_loop.cc:231
frame #36: 0x000000010930165d XUL`MessageLoop::Run(this=0x00007fff578f1ad0) + 45 at message_loop.cc:211
frame #37: 0x000000010e769a1e XUL`XRE_InitChildProcess(aArgc=5, aArgv=0x00007fff578f1da0, aChildData=0x00007fff578f1d28) + 4334 at nsEmbedFunctions.cpp:759
frame #38: 0x000000010e778657 XUL`mozilla::BootstrapImpl::XRE_InitChildProcess(this=0x000000011d5150d0, argc=8, argv=0x00007fff578f1da0, aChildData=0x00007fff578f1d28) + 39 at Bootstrap.cpp:65
frame #39: 0x00000001083100c9 plugin-container`content_process_main(bootstrap=0x000000011d5150d0, argc=8, argv=0x00007fff578f1da0) + 217 at plugin-container.cpp:115
frame #40: 0x0000000108310247 plugin-container`main(argc=9, argv=0x00007fff578f1da0) + 103 at MozillaRuntimeMain.cpp:26
frame #41: 0x00007fffc76b6255 libdyld.dylib`start + 1
The second violation is reported here:
* thread #1: tid = 0x89a47, 0x00000001134c31a0 XUL`CSPReportSenderRunnable::CSPReportSenderRunnable(this=0x000000010e11ba60, aBlockedContentSource=0x00000001064f9bb0, aOriginalURI=0x0000000108f8f240, aViolatedPolicyIndex=0, aReportOnlyFlag=false, aViolatedDirective=u"default-src view-source://:1", aObserverSubject=u"Inline Style had invalid hash", aSourceFile=u"view-source:https://people-mozilla.org/~eakhgari/csp-style-test/", aScriptSample=u"", aLineNum=0, aCSPContext=0x0000000105144380) + 384 at nsCSPContext.cpp:1051, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
* frame #0: 0x00000001134c31a0 XUL`CSPReportSenderRunnable::CSPReportSenderRunnable(this=0x000000010e11ba60, aBlockedContentSource=0x00000001064f9bb0, aOriginalURI=0x0000000108f8f240, aViolatedPolicyIndex=0, aReportOnlyFlag=false, aViolatedDirective=u"default-src view-source://:1", aObserverSubject=u"Inline Style had invalid hash", aSourceFile=u"view-source:https://people-mozilla.org/~eakhgari/csp-style-test/", aScriptSample=u"", aLineNum=0, aCSPContext=0x0000000105144380) + 384 at nsCSPContext.cpp:1051
frame #1: 0x00000001134ab58b XUL`CSPReportSenderRunnable::CSPReportSenderRunnable(this=0x000000010e11ba60, aBlockedContentSource=0x00000001064f9bb0, aOriginalURI=0x0000000108f8f240, aViolatedPolicyIndex=0, aReportOnlyFlag=false, aViolatedDirective=u"default-src view-source://:1", aObserverSubject=u"Inline Style had invalid hash", aSourceFile=u"view-source:https://people-mozilla.org/~eakhgari/csp-style-test/", aScriptSample=u"", aLineNum=0, aCSPContext=0x0000000105144380) + 171 at nsCSPContext.cpp:1050
frame #2: 0x00000001134a4e7b XUL`nsCSPContext::AsyncReportViolation(this=0x0000000105144380, aBlockedContentSource=0x00000001064f9bb0, aOriginalURI=0x0000000108f8f240, aViolatedDirective=u"default-src view-source://:1", aViolatedPolicyIndex=0, aObserverSubject=u"Inline Style had invalid hash", aSourceFile=u"view-source:https://people-mozilla.org/~eakhgari/csp-style-test/", aScriptSample=u"", aLineNum=0) + 331 at nsCSPContext.cpp:1165
frame #3: 0x00000001134a72f0 XUL`nsCSPContext::reportInlineViolation(this=0x0000000105144380, aContentType=4, aNonce=u"", aContent=u"", aViolatedDirective=u"default-src view-source://:1", aViolatedPolicyIndex=0, aLineNumber=0) + 1136 at nsCSPContext.cpp:473
frame #4: 0x00000001134a7682 XUL`nsCSPContext::GetAllowsInline(this=0x0000000105144380, aContentType=4, aNonce=u"", aParserCreated=false, aContent=u"", aLineNumber=0, outAllowsInline=0x00007fff5e272a57) + 786 at nsCSPContext.cpp:517
frame #5: 0x00000001141708ed XUL`nsStyleUtil::CSPAllowsInlineStyle(aContent=0x0000000000000000, aPrincipal=0x000000010672d8b0, aSourceURI=0x0000000108f8f240, aLineNumber=0, aStyleText=u"", aRv=0x0000000000000000) + 557 at nsStyleUtil.cpp:824
frame #6: 0x00000001117e1dcc XUL`nsStyledElement::ParseStyleAttribute(this=0x00000001051446a0, aValue=u"", aResult=0x00007fff5e272d48, aForceInDataDoc=false) + 156 at nsStyledElement.cpp:156
frame #7: 0x00000001117e23ba XUL`nsStyledElement::ReparseStyleAttribute(this=0x00000001051446a0, aForceInDataDoc=false) + 218 at nsStyledElement.cpp:126
frame #8: 0x0000000111572259 XUL`mozilla::dom::Element::BindToTree(this=0x00000001051446a0, aDocument=0x0000000106723000, aParent=0x000000010210be20, aBindingParent=0x0000000000000000, aCompileEventHandlers=true) + 3881 at Element.cpp:1716
frame #9: 0x0000000112de9de6 XUL`nsGenericHTMLElement::BindToTree(this=0x00000001051446a0, aDocument=0x0000000106723000, aParent=0x000000010210be20, aBindingParent=0x0000000000000000, aCompileEventHandlers=true) + 86 at nsGenericHTMLElement.cpp:475
frame #10: 0x0000000111770f4e XUL`nsINode::doInsertChildAt(this=0x000000010210be20, aKid=0x00000001051446a0, aIndex=1, aNotify=false, aChildArray=0x000000010210be90) + 1150 at nsINode.cpp:1613
frame #11: 0x00000001115904b8 XUL`mozilla::dom::FragmentOrElement::InsertChildAt(this=0x000000010210be20, aKid=0x00000001051446a0, aIndex=1, aNotify=false) + 136 at FragmentOrElement.cpp:1148
frame #12: 0x0000000110c7e09f XUL`nsINode::AppendChildTo(this=0x000000010210be20, aKid=0x00000001051446a0, aNotify=false) + 95 at nsINode.h:718
frame #13: 0x0000000110c7df98 XUL`nsHtml5TreeOperation::Append(aNode=0x00000001051446a0, aParent=0x000000010210be20, aBuilder=0x000000010649bc00) + 312 at nsHtml5TreeOperation.cpp:181
frame #14: 0x0000000110c81358 XUL`nsHtml5TreeOperation::Perform(this=0x00000001065c7278, aBuilder=0x000000010649bc00, aScriptElement=0x00007fff5e273bb0) + 232 at nsHtml5TreeOperation.cpp:645
frame #15: 0x0000000110c75666 XUL`nsHtml5TreeOpExecutor::RunFlushLoop(this=0x000000010649bc00) + 1270 at nsHtml5TreeOpExecutor.cpp:451
frame #16: 0x0000000110c784b1 XUL`nsHtml5ExecutorFlusher::Run(this=0x0000000105141460) + 81 at nsHtml5StreamParser.cpp:128
frame #17: 0x000000010f68b406 XUL`nsThread::ProcessNextEvent(this=0x000000010210e1a0, aMayWait=false, aResult=0x00007fff5e273dd3) + 1254 at nsThread.cpp:1240
frame #18: 0x000000010f719afc XUL`NS_ProcessPendingEvents(aThread=0x000000010210e1a0, aTimeout=10) + 140 at nsThreadUtils.cpp:332
frame #19: 0x0000000113d061be XUL`nsBaseAppShell::NativeEventCallback(this=0x00000001021bfb80) + 190 at nsBaseAppShell.cpp:97
frame #20: 0x0000000113da23e2 XUL`nsAppShell::ProcessGeckoEvents(aInfo=0x00000001021bfb80) + 498 at nsAppShell.mm:392
frame #21: 0x00007fffb217d981 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
frame #22: 0x00007fffb215ea7d CoreFoundation`__CFRunLoopDoSources0 + 557
frame #23: 0x00007fffb215df76 CoreFoundation`__CFRunLoopRun + 934
frame #24: 0x00007fffb215d974 CoreFoundation`CFRunLoopRunSpecific + 420
frame #25: 0x00007fffb16e9acc HIToolbox`RunCurrentEventLoopInMode + 240
frame #26: 0x00007fffb16e9901 HIToolbox`ReceiveNextEventCommon + 432
frame #27: 0x00007fffb16e9736 HIToolbox`_BlockUntilNextEventMatchingListInModeWithFilter + 71
frame #28: 0x00007fffafc8fae4 AppKit`_DPSNextEvent + 1120
frame #29: 0x00007fffb040a21f AppKit`-[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 2789
frame #30: 0x0000000113da0f24 XUL`::-[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:](self=0x000000010672ce00, _cmd="nextEventMatchingMask:untilDate:inMode:dequeue:", mask=18446744073709551615, expiration=4001-01-01 00:00:00 UTC, mode="kCFRunLoopDefaultMode", flag=YES) + 116 at nsAppShell.mm:128
frame #31: 0x00007fffafc84465 AppKit`-[NSApplication run] + 926
frame #32: 0x0000000113da2d8c XUL`nsAppShell::Run(this=0x00000001021bfb80) + 172 at nsAppShell.mm:666
frame #33: 0x0000000115418325 XUL`XRE_RunAppShell() + 325 at nsEmbedFunctions.cpp:927
frame #34: 0x00000001100b2b1b XUL`mozilla::ipc::MessagePumpForChildProcess::Run(this=0x0000000102133f60, aDelegate=0x00007fff5e275ac0) + 187 at MessagePump.cpp:269
frame #35: 0x000000010ffaf755 XUL`MessageLoop::RunInternal(this=0x00007fff5e275ac0) + 117 at message_loop.cc:238
frame #36: 0x000000010ffaf6b5 XUL`MessageLoop::RunHandler(this=0x00007fff5e275ac0) + 21 at message_loop.cc:231
frame #37: 0x000000010ffaf65d XUL`MessageLoop::Run(this=0x00007fff5e275ac0) + 45 at message_loop.cc:211
frame #38: 0x0000000115417a1e XUL`XRE_InitChildProcess(aArgc=5, aArgv=0x00007fff5e275d98, aChildData=0x00007fff5e275d18) + 4334 at nsEmbedFunctions.cpp:759
frame #39: 0x0000000115426657 XUL`mozilla::BootstrapImpl::XRE_InitChildProcess(this=0x00000001021150d0, argc=8, argv=0x00007fff5e275d98, aChildData=0x00007fff5e275d18) + 39 at Bootstrap.cpp:65
frame #40: 0x000000010198c0c9 plugin-container`content_process_main(bootstrap=0x00000001021150d0, argc=8, argv=0x00007fff5e275d98) + 217 at plugin-container.cpp:115
frame #41: 0x000000010198c247 plugin-container`main(argc=9, argv=0x00007fff5e275d98) + 103 at MozillaRuntimeMain.cpp:26
frame #42: 0x00007fffc76b6255 libdyld.dylib`start + 1
frame #43: 0x00007fffc76b6255 libdyld.dylib`start + 1
|
||
Updated•8 years ago
|
Component: Security → DOM: Security
|
||
Updated•8 years ago
|
Priority: -- → P3
Whiteboard: [domsecurity-backlog2]
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•