Closed Bug 1414209 Opened 7 years ago Closed 7 years ago

Content Security Policy confused by order of preload Link headers

Categories

(Core :: DOM: Security, defect, P3)

Product:
Core
Component:
DOM: Security
Version:
56 Branch
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla59
Tracking Flags:
Tracking Status
firefox59 --- fixed

People

(Reporter: sjon, Assigned: dragana)

Details

(Whiteboard: [domsecurity-active])

Attachments

(1 file)

bug_1414209_v1.patch
744 bytes, patch
smaug
: review+
Details | Diff | Splinter Review 
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:56.0) Gecko/20100101 Firefox/56.0
Build ID: 20171027085204

Steps to reproduce:

When multiple Link headers (or possibly multiple values in a single header) are present - the CSP handler gets confused and incorrectly blocks the preload. This reproduces it in PHP:

header("Content-Security-Policy: script-src 'self' cdn.jsdelivr.net; style-src 'self';");
// this fails incorrectly
header("Link: </s/c.css>; rel=preload; as=style, </s/c.js>; rel=preload; as=script, <https://cdn.jsdelivr.net/gh/ajaxorg/ace-builds@1.2.8/src-min-noconflict/worker-php.js>; rel=preload; as=script");

// this has the same values in a different order - and works
// header("Link: </s/c.js>; rel=preload; as=script, </s/c.css>; rel=preload; as=style, <https://cdn.jsdelivr.net/gh/ajaxorg/ace-builds@1.2.8/src-min-noconflict/worker-php.js>; rel=preload; as=script");



Actual results:

Content Security Policy: The page’s settings blocked the loading of a resource at https://cdn.jsdelivr.net/gh/ajaxorg/ace-builds@1.2.8/src-min-noconflict/worker-php.js (“style-src http://site.com”).


Expected results:

no error
Component: Untriaged → DOM: Security
Product: Firefox → Core
Dragana: This feels like it's broken in the link header processing of the "as=" bits -- is that something you're working on, or if not do you know who it would be?
Flags: needinfo?(dd.mozilla)
I can take a look. preload is currently disabled. but it would be good to fix this.
Assignee: nobody → dd.mozilla
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Flags: needinfo?(dd.mozilla)
Priority: -- → P3
Whiteboard: [domsecurity-active]

        Attachment #8933735 -
        Flags: review?(bugs)

    
    

    
  
Comment on attachment 8933735 [details] [diff] [review]
bug_1414209_v1.patch

Some comment about why this is needed would have been nice, but I looked at the method and the loop there.

        Attachment #8933735 -
        Flags: review?(bugs) → review+

    
    

    
  
Pushed by dd.mozilla@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/f28a10b116e0
Truncate as value after each link header. r=smaug

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/f28a10b116e0
Status: ASSIGNED → RESOLVED
Closed: 7 years ago

          status-firefox59:
          --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla59

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: