1412107 - <link rel=preconnect> appears to bypass content policies

Status: RESOLVED INVALID

(Core :: DOM: Security, defect)

Description

[Daniel Veditz [:dveditz]]

+++ This bug was initially created as a clone of Bug #1408867 +++

Looking at the code I don't see where <link rel=preconnect> checks with any content policies (unlike the similar rel=preload). How much this matters depends on the purpose of the content policy. For example, this doesn't cause any problems for the mixed-content blocker since no content ends up in the document and no cookies are sent. Matters a lot to any use that's trying to police connections/loads in order to prevent privacy leaks (privacy add-ons? tracking protection?) since information can be embedded in the subdomain names.

Probably not a huge deal for Content-security-policy since CSP doesn't try to prevent all exfiltration (navigation isn't blocked) and the preconnect can't result in any content inserted into the document.

Comment 1

[Daniel Veditz [:dveditz]]

Tom: is this something Tor needs to worry about? I assume--but haven't checked--that the preconnect goes through the proxy and I don't know if Tor relies on content policies. HTTPS Everywhere might miss these, but since no response is incorporated into web content it's just a potentially wasted insecure connection.

Comment 2

[Tom Ritter [:tjr]]

I don't believe Tor is affected by this, but I'm add Georg and Arthur just in case.

Comment 3

[Georg Koppen]

I think we are good with <link rel=preconnect> regarding proxy obedience. And, no, we don't rely on content policies. So, all in all I'd say we are not affected.

Comment 4

[Daniel Veditz [:dveditz]]

I guess this is OK as-is -- it's not really "content". It's just warming up the connection so it doesn't make sense to send through the content policies.