CSP check for Function() constructor seems to no longer work

RESOLVED FIXED

Status

()

Core
DOM: Security
RESOLVED FIXED
a year ago
11 months ago

People

(Reporter: Mark Straver, Unassigned)

Tracking

({testcase-wanted})

unspecified
testcase-wanted
Points:
---

Firefox Tracking Flags

(firefox-esr52 unaffected, firefox53 unaffected, firefox55 unaffected)

Details

(URL)

(Reporter)

Description

a year ago
With a recent change (last night) on GitHub, where their framework introduced a "new Function()" call in a CSP-protected document, it caused issues on older versions of Firefox. Those would start throwing errors:

"Error: call to Function() blocked by CSP"

The latest versions however, do not. This seems to be a regression.

Preliminary testing shows the following regression range:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=506facea63169a29e04eb140663da1730052db64&tochange=b3ec8a3373e8faca26c39e9ff577a2d4f8b6927a

The offending code in framework.js is

t.exports=new Function("return this")()

which is protected by CSP that doesn't include "unsafe-eval":

script-src assets-cdn.github.com;

So according to the spec this should be blocked, but apparently isn't, anymore.
I can't reproduce in Firefox release (53), nor in Firefox Nightly (version 55, from May 7th).

My STR:
1) go to github.com
2) open developer tools (ctrl+shift+k)
3) f=new Function("lol")
4) Error : call to Function() blocked by CSP
It also looks like we have tests for this, so this can't easily regress.
Maybe we're missing something.

Can you share some additional steps to repeat on your end, JustOff or Mark Straver?
Maybe this is due to a non-standard setting or an extension?
Keywords: testcase-wanted
Status: NEW → UNCONFIRMED
Ever confirmed: false

Comment 4

a year ago
STR:

1) Start Firefox 45.9 ESR (or any Firefox earlier than regression ranges listed above)
2) Open https://github.com
3) `Error: call to Function() blocked by CSP` is in console (and GitHub is partially inoperable)

It should be so because site CSP doesn't include "unsafe-eval" as pointed by Mark in OP, but it isn't with recent Firefox versions.
(Reporter)

Comment 5

a year ago
I only have 52ESR handy at the moment, but the same thing happens there, i.e. it doesn't block the load while it should.

My STR in a new profile to avoid interference of prefs or extensions:
1) go to github.com
2) log in (might not be needed)
3) open any PR or issue page

Everything works while it should not, because:
- frameworks.js uses new Function() [1]
- CSP sets script-src to script-src assets-cdn.github.com;[2]

Using an older version of Firefox (see regression range) it throws:
14:17:54.767 Error: call to Function() blocked by CSP1 frameworks-05db7e79d74bfabc198f81407fd7cf00e300fc6b6ade60ac2fbcd77e585ec73a.js:1:6948

[1] relevant part of minified frameworks.js script on github at 1:6948:
5:[function(e,t,n){"use strict";t.exports=new Function("return this")()},{}]

[2] full CSP header: 
"default-src 'none'; base-uri 'self'; child-src render.githubusercontent.com; connect-src 'self' uploads.github.com status.github.com collector.githubapp.com api.github.com www.google-analytics.com github-cloud.s3.amazonaws.com wss://live.github.com github-production-repository-file-5c1aeb.s3.amazonaws.com; font-src assets-cdn.github.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; img-src 'self' data: assets-cdn.github.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com *.githubusercontent.com github-production-repository-file-5c1aeb.s3.amazonaws.com; media-src 'none'; script-src assets-cdn.github.com; style-src 'unsafe-inline' assets-cdn.github.com"

I hope this helps.
Oh, I misread the date in the regression range to be in 2017, but it is in 2016.
I have tested Firefox ESR (which is 52.x now) and Firefox Beta and Firefox Release and neither of them are affected.

I think we're talking about unsupported versions, here?
status-firefox53: --- → unaffected
status-firefox55: --- → unaffected
status-firefox-esr52: --- → unaffected
New profile, Firefox EST (52.1.1) signed into GitHub, I do not get the scripts containing the Function constructor (using DevTools search).
Trying to violate the CSP on purpose (see comment 2), does not work for me either.
I do get the code, and it seems to be some kind of shim for ES6 symbols. After implementing bug 1114580, which is included in this regression range, we presumably don't execute the code containing new Function anymore. I think this bug is Invalid, unless there is proof that the new Function call is actually executed.
(Reporter)

Comment 9

a year ago
> I think we're talking about unsupported versions, here?

The unsupported versions seem to do it correctly. The supported versions do not. 
The issue is that something works (GitHub being operable) while it should not :P so, the ones marked unaffected are affected.

> After implementing bug 1114580, which is included in this regression range, we presumably don't execute the code containing new Function anymore.

If someone can confirm that, then it's clearly a problem with the shim that GitHub uses (and not a Firefox issue). Since it's all minified code, it's hard to tell what gets executed and what doesn't.
I've talked with my contacts at GitHub. This is a bug on their end and they are working on a fix that "should go out today" (whichever timezone that is).

Thank you for reporting the problem!
Status: UNCONFIRMED → RESOLVED
Last Resolved: a year ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.