Closed
Bug 1385579
Opened 8 years ago
Closed 8 years ago
Information leak with CSP
Categories
(Core :: DOM: Security, defect)
Core
DOM: Security
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: jwalker, Unassigned)
Details
While testing a CSP policy developed locally, I see the following error report:
{
'csp-report':
{
'blocked-uri': 'https://habitica.com',
'document-uri': 'http://localhost:3000/',
'original-policy': 'default-src \'none\'; script-src http://localhost:3000; frame-src http://localhost:3000; frame-ancestors http://localhost:3000; img-src http://localhost:3000 data:; style-src http://localhost:3000 \'unsafe-inline\'; connect-src http://localhost:3000 ws://localhost:3000; manifest-src http://localhost:3000; font-src http://localhost:3000; report-uri http://localhost:3000/cspviolation',
referrer: '',
'violated-directive': 'font-src http://localhost:3000'
}
}
I have a tab open to Habitica, but I wouldn't expect my CSP policy to be affecting it, and I certainly wouldn't expect to see reports of this in my logs.
I'm on nightly.
|
||
Updated•8 years ago
|
Group: core-security → dom-core-security
Component: Security → DOM: Security
|
||
Comment 1•8 years ago
|
||
Why would CSP think your other tab is a font (see violated-directive)? Are you sure there's no reference to habitica in any stylesheet or framework you're using?
Can you share your testpage, or a reduced version of it that still reproduces the problem?
Flags: needinfo?(jwalker)
|
Reporter | |
Comment 2•8 years ago
|
||
Test page isn't easy right now, maybe I can work something out if we need to.
I've just reloaded and spent more time looking at the errors. I'm very sure that this isn't my site referring to Habitica by mistake.
There are many CSP violations reported, I'll summarize:
Most of the error reports are about fonts (a few aren't, I've included one at the end). The first font report looks like this (I've elided the parts that are the same as above)
...
Body: {
"csp-report": {
"blocked-uri": "https://fonts.gstatic.com",
"document-uri": "http://localhost:3000/",
"line-number": 1,
"original-policy": "default-src 'none'; script-src http://localhost:3000; frame-src http://localhost:3000; frame-ancestors http://localhost:3000; img-src http://localhost:3000 data:; style-src http://localhost:3000 'unsafe-inline'; connect-src http://localhost:3000 ws://localhost:3000; manifest-src http://localhost:3000; font-src http://localhost:3000; report-uri http://localhost:3000/cspviolation",
"referrer": "",
"script-sample": ";(function installGlobalHook(window) {\n ...",
"source-file": "http://localhost:3000/",
"violated-directive": "font-src http://localhost:3000"
}
}
There is a webconsole message to go along with this:
18:20:06.596 Content Security Policy: The page’s settings blocked the loading of a resource at https://fonts.gstatic.com/s/arvo/v9/rC7kKhY-eUDY-ucISTIf5PesZW2xOQ-xsNqO47m55DA.woff2 (“font-src http://localhost:3000”).
Now I'm not using "Arvo", in my site but a Google Doc I've open does.
There are then 6 more server reports, all of which just mention `"blocked-uri": "https://fonts.gstatic.com"` on the server, but the webconsole messages has more detail:
18:20:06.596 Content Security Policy: The page’s settings blocked the loading of a resource at https://fonts.gstatic.com/s/arvo/v9/rC7kKhY-eUDY-ucISTIf5PesZW2xOQ-xsNqO47m55DA.woff2 (“font-src http://localhost:3000”).
18:20:06.598 Content Security Policy: The page’s settings blocked the loading of a resource at https://fonts.gstatic.com/s/opensans/v14/cJZKeOuBrn4kERxqtaUH3ZBw1xU1rKptJj_0jans920.woff2 (“font-src http://localhost:3000”).
18:20:06.601 Content Security Policy: The page’s settings blocked the loading of a resource at https://fonts.gstatic.com/s/opensans/v14/rz_d-lYvynrnx9mBCNBwxZBw1xU1rKptJj_0jans920.woff2 (“font-src http://localhost:3000”).
18:20:06.604 Content Security Policy: The page’s settings blocked the loading of a resource at https://fonts.gstatic.com/s/lora/v10/_IxjUs2lbQSu0MyFEAfa7ZBw1xU1rKptJj_0jans920.woff2 (“font-src http://localhost:3000”).
18:20:06.606 Content Security Policy: The page’s settings blocked the loading of a resource at https://fonts.gstatic.com/l/font?kit=caKCyKyFMEPgyy8-fqXIrXYhjbSpvc47ee6xR_80Hnw&skey=3d1eb1871fcc58a1&v=v8 (“font-src http://localhost:3000”).
18:20:06.608 Content Security Policy: The page’s settings blocked the loading of a resource at https://fonts.gstatic.com/s/lora/v10/rAXKWvABQNHjPUk26ixVvvesZW2xOQ-xsNqO47m55DA.woff2 (“font-src http://localhost:3000”).
Again, no "Lora" on my site.
Next there's this from the server:
Body: {
"csp-report": {
"blocked-uri": "https://www.gitbook.com",
...
}
}
Which matches:
18:20:06.611 Content Security Policy: The page’s settings blocked the loading of a resource at https://www.gitbook.com/assets/fonts/roboto/Roboto/Roboto-Medium.woff2 (“font-src http://localhost:3000”).
I am using Roboto, but certainly not from Gitbook. Gitbook is a tab that I *had* open maybe an hour ago.
---------------------------
This is the first thing from the server console log. I'm including it as it's different to the others. It's possible that this is an actual problem in my code, although Chrome Canary doesn't complain and "installGlobalHook" doesn't exist in any of my client JS.
Body: {
"csp-report": {
"blocked-uri": "self",
...
"violated-directive": "script-src http://localhost:3000"
}
}
There is a webconsole message to go along with this:
18:20:04.402 Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src http://localhost:3000”). Source: ;(function installGlobalHook(window) {
I suspect this is another instance of CSP messages leaking between tabs.
Flags: needinfo?(jwalker)
|
|
||
Comment 3•8 years ago
|
||
A font-loading violation shouldn't have a script-sample or a line number. The script sample ought to be the first 40 (or so?) characters of the script and what you're showing looks like the middle of something. uninitialized memory?
Christoph: does any of this make sense to you?
Flags: needinfo?(ckerschb)
|
|
Reporter | |
Comment 4•8 years ago
|
||
I'm sorry, the first report in comment 2 suffered from a cut and paste error. The line-number, script-sample and source-file belong to the report at the end. The full version of the first report above should be as follows
Body: {
"csp-report": {
"blocked-uri": "https://fonts.gstatic.com",
"document-uri": "http://localhost:3000/",
"original-policy": "default-src 'none'; script-src http://localhost:3000; frame-src http://localhost:3000; frame-ancestors http://localhost:3000; img-src http://localhost:3000 data:; style-src http://localhost:3000 'unsafe-inline'; connect-src http://localhost:3000 ws://localhost:3000; manifest-src http://localhost:3000; font-src http://localhost:3000; report-uri http://localhost:3000/cspviolation",
"referrer": "",
"violated-directive": "font-src http://localhost:3000"
}
}
I noticed something else - I'm getting leaked CSP errors on any site with a CSP policy. For example this bugzilla page has a similar set of CSP errors.
|
|
Reporter | |
Comment 5•8 years ago
|
||
More debugging: restarting in safe mode doesn't fix it, so it's not related to any addons, but restarting with a clean profile does, so it's something in my profile.
|
|
||
Comment 6•8 years ago
|
||
Maybe an old copy of a resource is stuck in your cache?
|
|
Reporter | |
Comment 7•8 years ago
|
||
> Maybe an old copy of a resource is stuck in your cache?
Yes that fixed it. Although it can't be a single old resource that's the cause - I saw this problem on bugilla.mozilla.org and localhost:3000, maybe we're saying the cache was corrupt in some way?
|
||
Comment 8•8 years ago
|
||
(In reply to Joe Walker [:jwalker] (needinfo me or ping on irc) from comment #4)
> I'm sorry, the first report in comment 2 suffered from a cut and paste
> error. The line-number, script-sample and source-file belong to the report
> at the end. The full version of the first report above should be as follows
That makes me already feel a little better. I was really worried when I saw those reports, which included a script-sample. Anyway, most likely, actually most definitely, it must have to do something with fonts in our cache. I also don't think it's a single old resource (regarding comment 7). Potentially we incorrectly load those fonts from the cache when opening a new page somehow? Ultimately I think it would be best to get a stacktrace if we can reproduce the problem. Ideally from that point [1] in the CSP code.
[1] https://dxr.mozilla.org/mozilla-central/source/dom/security/nsCSPContext.cpp#244
Flags: needinfo?(ckerschb)
|
|
||
Comment 9•8 years ago
|
||
Joe: we don't know how to move forward on this one. If it's no longer happening to you can we mark this "worksforme"?
Flags: needinfo?(jwalker)
|
|
Reporter | |
Comment 10•8 years ago
|
||
Agreed.
There's not enough to go on, and this could be caused by a messed up profile. I'd like to dig into the core issue a bit more, but we shouldn't have this on file waiting.
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(jwalker)
Resolution: --- → INCOMPLETE
|
|
||
Updated•5 years ago
|
Group: dom-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•