1389877 - Content-Security-Policy leak the base URL of some unrelated tabs

Status: RESOLVED DUPLICATE of bug 1384741

(Core :: DOM: Security, defect)

Description

[Emmanuel Gil Peyrot]

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0
Build ID: 20170812100345

Steps to reproduce:

1) Have a website.
2) Add this CSP header to the web server:
```
add_header Content-Security-Policy "default-src 'unsafe-inline' data:; report-uri /report-csp-violation" always;
```
3) Open many tabs in Firefox, I currently have about 560 of them opened, including some hundred actually loaded.
4) Visit this website using Firefox nightly (tested on 57.0a1 (2017-08-12) (64-bit), and 2017-08-08).


Actual results:

The POST URL received about ten requests containing the base URL of some of the domains I have in open tabs.

If I add https: to the default-src, I get fewer domains (only the ones in http:), and if I also add http: I get none.

You can test this on https://movim.jabberfr.org/ where the CSP header contains more directives, but the result is the same.

These requests don’t even appear in the network console, which means users will have a very hard time seeing the bug, Wireshark or similar tools will be required.


Expected results:

No leak should happen.

Comment 1

[:Gijs (he/him)]

Do you have stylo/servo enabled (check the value of layout.css.servo.enabled in about:config ) and is this fixed on today's nightly? If so, I expect this is a duplicate of bug 1384741.

Comment 2

[Daniel Veditz [:dveditz]]

Heycam: do you agree this is a dupe of bug 1384741?

Comment 3

[Cameron McCormack (:heycam)]

Yes, that sounds like bug 1384741, which landed the day after the build mentioned in comment 0.

Comment 4

[Emmanuel Gil Peyrot]

I indeed have this property set, and I can’t reproduce anymore on master, thanks for fixing it. :)