CSP: Write testcase for data: URI iframe using a meta CSP including 'self'

RESOLVED FIXED in Firefox 57

Status

()

Core
DOM: Security
P2
normal
RESOLVED FIXED
5 months ago
5 months ago

People

(Reporter: ckerschb, Assigned: ckerschb)

Tracking

unspecified
mozilla57
Points:
---

Firefox Tracking Flags

(firefox57 fixed)

Details

(Whiteboard: [domsecurity-active])

Attachments

(1 attachment, 2 obsolete attachments)

(Assignee)

Description

5 months ago
When working on Bug 1387684 I realized that having a data: URI iframe which uses a meta CSP including 'self' translates 'self' into a data: URI. We fix the issue within Bug 1387684, but we should write out own testcase for it because the wpt test for this relies on the policy violation events (see Bug 1302962), which we haven't implemented yet.
(Assignee)

Updated

5 months ago
Assignee: nobody → ckerschb
Status: NEW → ASSIGNED
Depends on: 1387684
Priority: -- → P2
Whiteboard: [domsecurity-active]
(Assignee)

Comment 1

5 months ago
Created attachment 8894406 [details] [diff] [review]
bug_1387871_test_meta_csp_self.patch

This needs a little more work than I expected. When flipping the pref so data: URIs become unique opaque origins, then we get the following values when running that test:

Within CSP_CreateHostSrcFromSelfURI:
  aSelfURI: moz-nullprincipal:{6955d7ca-7420-489e-b5f1-2c1ffd31698f}
  scheme: moz-nullprincipal
  host:
  port: 32764

which ultimately translates 'self' into:
  moz-nullprincipal://:32764

within the attached testcase. I am not entirely sure how we should handle that case. I guess it needs a little more discussion with Dan and others.
(Assignee)

Comment 2

5 months ago
Created attachment 8897813 [details] [diff] [review]
bug_1387871_test_meta_csp_self.patch

As described in [1], the test within this bug will land together with the changes from Bug 1387684. 

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1387684#c18
Attachment #8894406 - Attachment is obsolete: true
Attachment #8897813 - Flags: review?(dveditz)
Comment on attachment 8897813 [details] [diff] [review]
bug_1387871_test_meta_csp_self.patch

Review of attachment 8897813 [details] [diff] [review]:
-----------------------------------------------------------------

Am I still reviewing this patch, or will there be another version? I'm not keen on translating moz-nullprincipal: to unique-opaque-origin: because moz-nullprincipal should already mean a unique origin. According to the URL spec (WHATWG) a unique origin shouldn't match even itself so you could just have things fail. Or, a more common-sense interpretation of a "unique" origin would allow it to match itself (exactly!) but not other URLs of the same scheme.

There are URL types that don't have hosts that aren't moz-nullprincipal. Basically, if a URL has a host then it's a scheme+host+port origin comparison; if it doesn't then it's a "unique origin" and we can either common-sense compare the entire URL, or go the "unique origin" definition and simply fail the comparison once we hit that point.
Comment on attachment 8897813 [details] [diff] [review]
bug_1387871_test_meta_csp_self.patch

Review of attachment 8897813 [details] [diff] [review]:
-----------------------------------------------------------------

Let's hold off on the review until we see what happens in Bug 1387684
Attachment #8897813 - Flags: review?(dveditz)
(Assignee)

Comment 5

5 months ago
Created attachment 8899116 [details] [diff] [review]
bug_1387871_test_meta_csp_self.patch
Attachment #8899116 - Flags: review?(dveditz)
(Assignee)

Updated

5 months ago
Attachment #8897813 - Attachment is obsolete: true
Attachment #8899116 - Flags: review?(dveditz) → review+

Comment 6

5 months ago
Pushed by mozilla@christophkerschbaumer.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/6c69390e7b8a
CSP: Test 'self' within meta csp in  data: URI iframe. r=dveditz
https://hg.mozilla.org/mozilla-central/rev/6c69390e7b8a
Status: ASSIGNED → RESOLVED
Last Resolved: 5 months ago
status-firefox57: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla57
You need to log in before you can comment on or make changes to this bug.