Closed Bug 1439330 Opened 8 years ago Closed 7 years ago

CSP: eval is not blocked if 'strict-dynamic' is enabled

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla62

Tracking Flags:

Tracking

Status

firefox62

---

fixed

People

(Reporter: tomi.belan, Assigned: vinoth)

Details

(Whiteboard: [domsecurity-active])

Attachments

(4 files)

good.html 8 years ago Tomi Belan 160 bytes, text/html		Details
bad.html 8 years ago Tomi Belan 177 bytes, text/html		Details
Bug 1439330 - condition added to block eval if only strict-dynamic is present without unsafe-eval keyword 8 years ago Phabricator Automation 45 bytes, text/x-phabricator-request	ckerschb : review+	Details \| Review
Bug 1439330 - Test added to check if eval is blocked if 'strict-dynamic' is enabled 7 years ago Phabricator Automation 46 bytes, text/x-phabricator-request	ckerschb : review+	Details \| Review

Tomi Belan

Reporter

Description

•

8 years ago

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Steps to reproduce: This file only prints 123, as expected: <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-foobar'"> <script nonce="foobar">document.write(123);eval('document.write(456)')</script> But when we add 'strict-dynamic', it prints 123456: <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-foobar' 'strict-dynamic'"> <script nonce="foobar">document.write(123);eval('document.write(456)')</script> Actual results: First example prints 123. Second example prints 123456. Expected results: Both examples should print 123. In Chrome 64, both examples print 123. See also: http://w3c-test.org/content-security-policy/script-src/script-src-strict_dynamic_eval.html

Tomi Belan

Reporter

Comment 1

•

8 years ago

Attached file good.html — Details

Tomi Belan

Reporter

Comment 2

•

8 years ago

Attached file bad.html — Details

Tomi Belan

Reporter

Updated

•

8 years ago

Component: Untriaged → DOM: Security

Product: Firefox → Core

Daniel Veditz [:dveditz]

Updated

•

8 years ago

Assignee: nobody → cegvinoth

Status: UNCONFIRMED → NEW

Ever confirmed: true

Priority: -- → P2

Whiteboard: [domsecurity-active]

Vinothkumar Nagasayanan [:vinoth]

Assignee

Comment 3

•

8 years ago

There is some phabricator issue. So adding the patch link here for review, https://phabricator.services.mozilla.com/D859 :ckerschb Please review the patch and add your comments if any.

Phabricator Automation

Comment 4

•

8 years ago

Attached file Bug 1439330 - condition added to block eval if only strict-dynamic is present without unsafe-eval keyword — Details

Phabricator Automation

Comment 5

•

7 years ago

Attached file Bug 1439330 - Test added to check if eval is blocked if 'strict-dynamic' is enabled — Details

Vinothkumar Nagasayanan [:vinoth]

Assignee

Comment 6

•

7 years ago

Comment on attachment 8970104 [details] Bug 1439330 - Test added to check if eval is blocked if 'strict-dynamic' is enabled Please review the patch and let me know if changes are needed.

Attachment #8970104 - Flags: review?(ckerschb)

Vinothkumar Nagasayanan [:vinoth]

Assignee

Comment 7

•

7 years ago

Comment on attachment 8965731 [details] Bug 1439330 - condition added to block eval if only strict-dynamic is present without unsafe-eval keyword Please review the patch and let me know if changes are needed.

Attachment #8965731 - Flags: review?(ckerschb)

Phabricator Automation

Comment 8

•

7 years ago

Comment on attachment 8970104 [details] Bug 1439330 - Test added to check if eval is blocked if 'strict-dynamic' is enabled Christoph Kerschbaumer [:ckerschb] has approved the revision. https://phabricator.services.mozilla.com/D1011

Attachment #8970104 - Flags: review+

Christoph Kerschbaumer [:ckerschb}

Comment 9

•

7 years ago

Comment on attachment 8970104 [details] Bug 1439330 - Test added to check if eval is blocked if 'strict-dynamic' is enabled Vino, I think the patch itself for this bug looks good. Could you please also add a test that includes strict-dynamic and unsafe-eval so we have a testcase for the opposite scenario as well? Thanks!

Flags: needinfo?(cegvinoth)

Attachment #8970104 - Flags: review?(ckerschb)

Christoph Kerschbaumer [:ckerschb}

Updated

•

7 years ago

Attachment #8965731 - Flags: review?(ckerschb)

Vinothkumar Nagasayanan [:vinoth]

Assignee

Comment 10

•

7 years ago

Flags: needinfo?(cegvinoth)

Attachment #8965731 - Flags: review?(ckerschb)

Vinothkumar Nagasayanan [:vinoth]

Assignee

Comment 11

•

7 years ago

(In reply to Christoph Kerschbaumer [:ckerschb] from comment #9) > Comment on attachment 8970104 [details] > Bug 1439330 - Test added to check if eval is blocked if 'strict-dynamic' is > enabled > > Vino, I think the patch itself for this bug looks good. Could you please > also add a test that includes strict-dynamic and unsafe-eval so we have a > testcase for the opposite scenario as well? > Thanks! I have also added the opposite scenario and updated the test cases. Please verify that too, https://phabricator.services.mozilla.com/D1011

Phabricator Automation

Comment 12

•

7 years ago

Comment on attachment 8965731 [details] Bug 1439330 - condition added to block eval if only strict-dynamic is present without unsafe-eval keyword Christoph Kerschbaumer [:ckerschb] has approved the revision. https://phabricator.services.mozilla.com/D859

Attachment #8965731 - Flags: review+

Christoph Kerschbaumer [:ckerschb}

Updated

•

7 years ago

Attachment #8965731 - Flags: review?(ckerschb)

Vinothkumar Nagasayanan [:vinoth]

Assignee

Updated

•

7 years ago

Keywords: checkin-needed

Pulsebot

Comment 13

•

7 years ago

Pushed by ryanvm@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/f9abb3479fdd Condition added to block eval if only strict-dynamic is present without unsafe-eval keyword. r=ckerschb https://hg.mozilla.org/integration/mozilla-inbound/rev/254e0c58f80f Test added to check if eval is blocked if 'strict-dynamic' is enabled. r=ckerschb

Keywords: checkin-needed

Stefan Hindli [:stefan_hindli]

Comment 14

•

7 years ago

Backed out 2 changesets (bug 1439330) for wpt3 failures in /content-security-policy/script-src/script-src-strict_dynamic_eval.html on a CLOSED TREE Problematic push: https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&revision=254e0c58f80fd65ad00bcd3b4dfd324a05d93e67&filter-resultStatus=testfailed&filter-resultStatus=busted&filter-resultStatus=exception&filter-classifiedState=unclassified Failure: https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&filter-resultStatus=testfailed&filter-resultStatus=busted&filter-resultStatus=exception&filter-classifiedState=unclassified&selectedJob=176138888 Backout: https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&revision=eb408f77a028cd93809fadb30f101fbf4aaa4d70&filter-resultStatus=testfailed&filter-resultStatus=busted&filter-resultStatus=exception&filter-classifiedState=unclassified 07:25:30 INFO - TEST-UNEXPECTED-PASS | /content-security-policy/script-src/script-src-strict_dynamic_eval.html | Script injected via `eval` is not allowed with `strict-dynamic` without `unsafe-eval`. - expected FAIL 07:25:30 INFO - TEST-INFO | expected FAIL 07:25:30 INFO - TEST-OK | /content-security-policy/script-src/script-src-strict_dynamic_eval.html | took 1133ms 07:25:31 INFO - PID 749 | [Child 752, Main Thread] WARNING: nsAppShell::Exit() called redundantly: file /builds/worker/workspace/build/src/widget/cocoa/nsAppShell.mm, line 738

Bogdan Maris, Desktop Test Engineering

Updated

•

7 years ago

QA Whiteboard: [good first verify]

Vinothkumar Nagasayanan [:vinoth]

Assignee

Comment 15

•

7 years ago

> 07:25:30 INFO - TEST-UNEXPECTED-PASS | > /content-security-policy/script-src/script-src-strict_dynamic_eval.html | > Script injected via `eval` is not allowed with `strict-dynamic` without > `unsafe-eval`. - expected FAIL > 07:25:30 INFO - TEST-INFO | expected FAIL > 07:25:30 INFO - TEST-OK | > /content-security-policy/script-src/script-src-strict_dynamic_eval.html | > took 1133ms > 07:25:31 INFO - PID 749 | [Child 752, Main Thread] WARNING: > nsAppShell::Exit() called redundantly: file > /builds/worker/workspace/build/src/widget/cocoa/nsAppShell.mm, line 738 Two tests script-src-strict_dynamic_eval.html.ini and script-src-strict_dynamic_new_function.html.ini are previously expected to "FAIL" because of this bug. Now after this patch those two tests PASSED, hence this wpt failure. Now I removed both .ini files and updated the same patch, https://phabricator.services.mozilla.com/D859 Please verify and let me know your comments if I can again proceed to landing the patch.

Flags: needinfo?(ckerschb)

Christoph Kerschbaumer [:ckerschb}

Comment 16

•

7 years ago

Yeah, that looks great to me, thanks!

Flags: needinfo?(ckerschb)

Vinothkumar Nagasayanan [:vinoth]

Assignee

Updated

•

7 years ago

Keywords: checkin-needed

Pulsebot

Comment 17

•

7 years ago

Pushed by ryanvm@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/6419ce7979bd Condition added to block eval if only strict-dynamic is present without unsafe-eval keyword. r=ckerschb https://hg.mozilla.org/integration/mozilla-inbound/rev/c12ef7d20d6c Test added to check if eval is blocked if 'strict-dynamic' is enabled. r=ckerschb

Keywords: checkin-needed

Raul Gurzau (:RaulG)

Comment 18

•

7 years ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/6419ce7979bd https://hg.mozilla.org/mozilla-central/rev/c12ef7d20d6c

Status: NEW → RESOLVED

Closed: 7 years ago

status-firefox62: --- → fixed

Resolution: --- → FIXED

Target Milestone: --- → mozilla62

Tomi Belan

Reporter

Comment 19

•

7 years ago

Awesome. Thanks, everyone.

You need to log in before you can comment on or make changes to this bug.