Closed
Bug 1419222
Opened 7 years ago
Closed 5 years ago
iframe CSP is blocking content in the parent document
Categories
(Core :: DOM: Security, defect, P3)
Tracking
()
RESOLVED
FIXED
mozilla71
Tracking | Status | |
---|---|---|
firefox71 | --- | fixed |
People
(Reporter: thiagotbl, Assigned: jallmann)
References
Details
(Whiteboard: [domsecurity-backlog1])
Attachments
(2 files)
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36 Steps to reproduce: Firefox version 56.0.1 (64-bit) CSP applied to iframe is interfering in parent CSP rules (even after iframe is removed) Steps to repro: 1. Please open the attached html in Firefox. Please note that there is no img-src CSP is set to "* data:" 2. See that it correctly loads the image 3. Click the button -> it will append an iframe to the document body with the following CSP: "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; font-src 'self';", and it will also append the same image that was loaded in the html Actual results: img is not loaded Expected results: img should load fine, since the CSP restriction is applied to the iframe All other browsers (Chrome and Edge) load the image. The bug also happens if you remove the iframe before inserting the new img tag
Updated•7 years ago
|
Component: Untriaged → DOM: Security
Product: Firefox → Core
Updated•7 years ago
|
Assignee: nobody → ckerschb
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P2
Whiteboard: [domsecurity-active]
Comment 1•7 years ago
|
||
This is probably another case where we accidentally shared an nsIPrincipal with CSP on it and propagated things when we shouldn't. We should really consider doing bug 965637 in the near future.
See Also: → 965637
Comment 2•7 years ago
|
||
(In reply to Ben Kelly [:bkelly] from comment #1) > We should really consider doing bug 965637 in the near future. I agree, I am all up for moving the CSP away from nsIPrincipal.
Updated•7 years ago
|
Status: NEW → ASSIGNED
Thanks for looking into that issue so quickly everyone. In the meantime, is there any workaround that can be done to overcome this? I can't change the behavior since I use a 3rd party library that adds the iframe with a CSP set (which I want to be more restrictive than the parent document). Thanks
Comment 4•7 years ago
|
||
It seems what's happening here is the following: the page creates a new iframe using
> frame = document.createElement("iframe");
> document.body.appendChild(frame);
and then adds a CSP to that iframe. Since it's a same origin iframe, we reuse the principal of the top-level page and literally add a CSP to that principal, which in turn applies the CSP to the top-level document.
Boris, what do you think, should we generate a copy of the principal in that case? If so, where should we ideally do that, within docshell or does it need to happen earlier?
Flags: needinfo?(bzbarsky)
Comment 5•7 years ago
|
||
(In reply to thiagotbl from comment #3) > Thanks for looking into that issue so quickly everyone. > In the meantime, is there any workaround that can be done to overcome this? > I can't change the behavior since I use a 3rd party library that adds the > iframe with a CSP set (which I want to be more restrictive than the parent > document). In that case I guess there is not much you can do as a workaround at this time - sorry.
Comment 6•7 years ago
|
||
> Boris, what do you think, should we generate a copy of the principal in that case? No, what you should do is stop tying CSP to principals. See comment 1. You can't sanely "generate a copy of the principal" and have things work correctly if it's representing a unique origin. That said, it's not clear what the right behavior here even is, per spec. See https://github.com/w3c/webappsec-csp/issues/207 which hasn't gotten a useful response from anyone working on the spec in over 6 months now.
Flags: needinfo?(bzbarsky)
Comment 7•7 years ago
|
||
And to be clear, the spec talks about the CSP of the iframe in this case aliasing something about the parent, but isn't very clear on what, exactly. If it's supposed to alias the CSP of the parent, then our behavior is correct per spec. Please just keep pinging Mike West until you have at least the desired behavior clear.
Comment 8•7 years ago
|
||
For what it's worth, we are discussing spec options at: https://github.com/w3c/webappsec-csp/issues/207
Comment 9•7 years ago
|
||
FWIW, we agreed on updating the spec to be more explicit. In turn, that means that the iframe in that scenario should 'copy' the CSP from the parent but the CSP from the iframe should not hoist to the embedding document/parent. As explained, this problem can not easily be fixed because the CSP hangs of nsIPrincipals within Firefox. Ultimately we have to fix Bug 965637 by moving the CSP from the nsIPrincipal over to ClientInfo. This requires some major refactoring; I will update our roadmap accordingly. [1] https://bugzilla.mozilla.org/show_bug.cgi?id=965637#c10
Updated•7 years ago
|
Assignee: ckerschb → nobody
Status: ASSIGNED → NEW
Priority: P2 → P3
Whiteboard: [domsecurity-active] → [domsecurity-backlog1]
Assignee | ||
Comment 12•5 years ago
|
||
Assignee | ||
Comment 13•5 years ago
|
||
It seems like this bug has been resolved in the meantime, it's not reproducible anymore.
I wrote a test to show that and suggest the bug is closed after the test lands.
Assignee | ||
Updated•5 years ago
|
Comment 15•5 years ago
|
||
Pushed by csabou@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/bf2586dc8256
Add test for correct handling of iFrame CSPs, r=ckerschb
Keywords: checkin-needed
Comment 16•5 years ago
|
||
bugherder |
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox71:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla71
You need to log in
before you can comment on or make changes to this bug.
Description
•