Content Security Policy confused by order of preload Link headers

RESOLVED FIXED in Firefox 59

Status

()

defect
P3
normal
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: sjon, Assigned: dragana)

Tracking

56 Branch
mozilla59
Points:
---

Firefox Tracking Flags

(firefox59 fixed)

Details

(Whiteboard: [domsecurity-active])

Attachments

(1 attachment)

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:56.0) Gecko/20100101 Firefox/56.0
Build ID: 20171027085204

Steps to reproduce:

When multiple Link headers (or possibly multiple values in a single header) are present - the CSP handler gets confused and incorrectly blocks the preload. This reproduces it in PHP:

header("Content-Security-Policy: script-src 'self' cdn.jsdelivr.net; style-src 'self';");
// this fails incorrectly
header("Link: </s/c.css>; rel=preload; as=style, </s/c.js>; rel=preload; as=script, <https://cdn.jsdelivr.net/gh/ajaxorg/ace-builds@1.2.8/src-min-noconflict/worker-php.js>; rel=preload; as=script");

// this has the same values in a different order - and works
// header("Link: </s/c.js>; rel=preload; as=script, </s/c.css>; rel=preload; as=style, <https://cdn.jsdelivr.net/gh/ajaxorg/ace-builds@1.2.8/src-min-noconflict/worker-php.js>; rel=preload; as=script");



Actual results:

Content Security Policy: The page’s settings blocked the loading of a resource at https://cdn.jsdelivr.net/gh/ajaxorg/ace-builds@1.2.8/src-min-noconflict/worker-php.js (“style-src http://site.com”).


Expected results:

no error
Component: Untriaged → DOM: Security
Product: Firefox → Core
Dragana: This feels like it's broken in the link header processing of the "as=" bits -- is that something you're working on, or if not do you know who it would be?
Flags: needinfo?(dd.mozilla)
I can take a look. preload is currently disabled. but it would be good to fix this.
Assignee: nobody → dd.mozilla
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Flags: needinfo?(dd.mozilla)
Priority: -- → P3
Whiteboard: [domsecurity-active]
Attachment #8933735 - Flags: review?(bugs)
Comment on attachment 8933735 [details] [diff] [review]
bug_1414209_v1.patch

Some comment about why this is needed would have been nice, but I looked at the method and the loop there.
Attachment #8933735 - Flags: review?(bugs) → review+
Pushed by dd.mozilla@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/f28a10b116e0
Truncate as value after each link header. r=smaug
https://hg.mozilla.org/mozilla-central/rev/f28a10b116e0
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
You need to log in before you can comment on or make changes to this bug.