1343950 - (csp-unsafe-hashes) Content Security Policy (CSP) implement unsafe-hashes

Status: RESOLVED FIXED

(Core :: DOM: Security, task, P3)

Description

[Luke Inman-Semerau]

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Steps to reproduce:

Example HTML:
<html>
<head>
<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashed-attributes' 'sha256-XTqNqFSUlZHAW7f/OGNYSOEzxKhjdAAGMXoid2VEbJk=';">
</head>
<body>
<button onclick="alert('hi')">click me to say hi</button>
</body>
</html>


Click on button.


Actual results:

console:

 Content Security Policy: Couldn’t parse invalid host 'unsafe-hashed-attributes'

 Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src 'sha256-XTqNqFSUlZHAW7f/OGNYSOEzxKhjdAAGMXoid2VEbJk='”). Source: onclick attribute on BUTTON element.


Expected results:

Alert with 'hi' should shown.

https://w3c.github.io/webappsec-csp/#unsafe-hashed-attributes-usage

Comment 2

[Florian Scholz (Open Web Docs)]

This seems to have been renamed to 'unsafe-hashes'

Comment 3

[victortorrealba.es01]

https://fr.freeadultcamsonline.com/femmes-mûres

Comment 4

[Murphy Tom]

Content Security Policy is an outstanding browser security feature that can prevent XSS (Cross-Site Scripting) attacks. It also obsoletes the old X-Frame-Options header for preventing cross-site framing attacks.

What are XSS vulnerabilities?

XSS (Cross-Site Scripting) vulnerabilities arise when untrusted data gets interpreted as code in a web context. They usually result from:

1. Generating HTML unsafely (parameterizing without encoding correctly).
2. Allowing users to edit HTML directly (WYSIWYG editors, for example).
3. Allowing users to upload HTML/SVG files and serving those back unsafely.
4. Allowing users to set the HREF attributes of links.
5. Using JavaScript unsafely (passing untrusted data into executable functions/properties).
6. Using outdated and vulnerable JavaScript packages.

XSS attacks exploit these vulnerabilities by, e.g., creating malicious links that inject and execute the attacker's JavaScript code in the target user's web browser when the user opens the link.

A simple example

Here is a PHP script that is vulnerable to XSS:

echo"<p>Search results for: ".$_GET('search')."</p>"

It is vulnerable because it generates HTML unsafely. The search parameter is not encoded correctly. An attacker can create a link such as the following, which would execute the attacker's JavaScript code on the website when the target opens it:

https://www.example.com/?search=
<script>
 alert('XSS')
</script>

Opening the link results in the following HTML getting rendered in the user's browser:

<p>
 Search results for:
 <script>
 alert('XSS')
 </script>
</p>

Best,
Murphy
Essay Writer

Comment 5

[ScoutSimone]

Depends on: uno online:
The current Video PiP implementation appears to function as intended, displaying an arbitrary video> in a floating window. One way to support websites that draw their own elements over the video, such as YouTube and Netflix, would be to implement a windowed fullscreen feature that puts whatever custom fullscreen UI a website has implemented into a window.

Comment 6

[AlleneBrick]

Thanks for sharing this, for more you can visit https://mycenturahealth.site/

Comment 7

[Michał Botarty]

did you fix it? if so, how?

Comment 8

[Tom Schuster (MoCo)]

Attachment: Bug 1343950 - CSP: Enable the 'unsafe-hashes' keyword by default. r?freddyb

Comment 9

[Pulsebot]

Pushed by tschuster@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/734d03776a9c
CSP: Enable the 'unsafe-hashes' keyword by default. r=freddyb

Comment 10

[daisylimo]

Limo and Airport Car Service in Lacey Township
https://www.daisylimo.com/lacey-township-new-jersey.html

Comment 11

[Sandor Molnar[:smolnar]]

https://hg.mozilla.org/mozilla-central/rev/734d03776a9c

Comment 13

[Ksenia Berezina [:ksenia]]

We've received multiple reports about Microsoft Azure data factory breaking since changes in bug1797070. It's currently broken on release (108) and fixed in Nightly (110) by this patch (confirmed with mozregression --find-fix).

Hi Tom, following up on your comment3 from bug1806845 , wonder if it's possible to uplift this patch to Beta and maybe release since there might be a lot of users affected?

Comment 14

[Tom Schuster (MoCo)]

Comment on attachment 9308661 [details]
Bug 1343950 - CSP: Enable the 'unsafe-hashes' keyword by default. r?freddyb

Beta/Release Uplift Approval Request

• User impact if declined: Previously working websites were broken. Hard to workaround for websites without decreasing their security.
• Is this code covered by automated tests?: Yes
• Has the fix been verified in Nightly?: Yes
• Needs manual test from QE?: No
• If yes, steps to reproduce:
• List of other uplifts needed: None
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): This was tested in Nightly already. Most of the code already existed, but now is "opt-in" (via 'unsafe-hashes') for websites.
• String changes made/needed: n/a
• Is Android affected?: Yes

Comment 16

[Ryan VanderMeulen [:RyanVM]]

Comment on attachment 9308661 [details]
Bug 1343950 - CSP: Enable the 'unsafe-hashes' keyword by default. r?freddyb

Not super crazy about taking this so late in the beta cycle, but I'm also not crazy about leaving sites broken for another cycle. Approved for 109.0b8 but let's be on the lookout for any regressions.

Comment 17

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-beta/rev/b970bf751d85

Comment 19

[Ruth John]

Tracking issue for MDN updates https://github.com/mdn/content/issues/23679