1439444 - Firefox nightly shows XML content as plain text

Status: VERIFIED FIXED

(Core :: DOM: Security, defect, P1)

Description

[Andrei Petcu]

Attachment: nightly_bad.png

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Build ID: 20180219100221

Steps to reproduce:

I visited this web site on a newly created Firefox profile with Firefox Nightly https://c03.federatenow.com/metadata/connectis/staging/dienstencatalogus_1.11.xml


Actual results:

The XML file looked ugly like in nightly_bad.png


Expected results:

It should have looked like in stable_good.png with syntax highlighting.
I have no extensions, as I said.... fresh profile.

Comment 1

[Andrei Petcu]

Attachment: stable_good.png

Comment 2

[Gingerbread Man]

Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0
20180219220041

Response header:
Content-Security-Policy: default-src 'none'; block-all-mixed-content; base-uri 'self'; script-src 'self'; form-action http: https:; connect-src 'self'; style-src 'self'; font-src 'self' data:; img-src 'self' data:;

Browser console errors:
Content Security Policy: The page’s settings blocked the loading of a resource at chrome://global/content/xml/XMLPrettyPrint.css (“style-src”).  (unknown)
Content Security Policy: The page’s settings blocked the loading of a resource at chrome://global/content/xml/XMLMonoPrint.css (“style-src”).  (unknown)

Regression range:
https://hg.mozilla.org/integration/mozilla-inbound/json-pushes?changeset=d4aa33646f8bb62025644f240b71af17a854fcca&full=1

Comment 3

[Christoph Kerschbaumer [:ckerschb]]

chrome: URLs are now subject to CSP. Are you the owner of the page? In other words, can you modify the CSP or is it a site you visited? If you own the site, then you would have to add chrome: to style-src.

If you don't own the page, then we need evangelize.

Comment 4

[Masatoshi Kimura [:emk]]

I don't think it is reasonable to expect that web pages white-list a scheme that just one browser happens to use internally. We should rather hide our internals to web pages. Why chrome: URLs are subject to CSP that is served from less-privileged origins?

Comment 5

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

Firefox adds the chrome style to the plain text XML, that's nothing site owners should have to do. Now the "-" buttons to collapse nodes don't work, the style is missing and it looks almost like plain text but the information that there is no style information for the document near the top got added by Firefox.

Comment 6

[:Gijs (he/him)]

(In reply to Masatoshi Kimura [:emk] from comment #4)
> I don't think it is reasonable to expect that web pages white-list a scheme
> that just one browser happens to use internally.

I would agree with this.

> We should rather hide our
> internals to web pages. Why chrome: URLs are subject to CSP that is served
> from less-privileged origins?

I've CC'd you on the blocking bug, which answers this question.

Perhaps we can make the CSP stuff continue to ignore contentaccessible chrome: URIs. Though coincidentally, we are considering removing XBL binding for the XML pretty print stuff (bug 1432636) which might help here.

I would be curious if there are similar issues with pages that use strict CSP and have video on them. Do they also not work? If they do, why isn't the video bindings' use of chrome: and/or resource: content affected by CSP, while that of the XML pretty print code is?

Comment 7

[Christoph Kerschbaumer [:ckerschb]]

I think Gijs provided a reasonable answer within comment 6. I'll have a look and see if video bindings are affected. And it seems my comment 3 wasn't completely thought through. I blame the jetlag for that and will take a look ASAP.

Comment 8

[Andrei Petcu]

I don't own the site. I think XML should look pretty in Firefox regardless if the site owner is aware of this or not.

Comment 9

[Andrei Petcu]

Latest Nightly works fine now. The issue is gone.

Comment 10

[Andrei Petcu]

Sorry for the spam.. the issue is still there :( I tested by mistake with a different URL

Comment 11

[Andrei Petcu]

Is there any workaround? Can I disable CSP for some domains? I see a lot of XML in my browser and this really bothers me.

Comment 12

[Christoph Kerschbaumer [:ckerschb]]

(In reply to andrei from comment #11)
> Is there any workaround? Can I disable CSP for some domains? I see a lot of
> XML in my browser and this really bothers me.

I can't think of any workaround. You can't disable CSP for a page. Gijs, do you happen to know a workaround?

I'll try to look if I can get a fix for this, though it might take a little while.

Comment 13

[:Gijs (he/him)]

No, I'm not aware of a good workaround. If you're happy writing JS you could probably write a webextension that used webRequests to mess with the CSP headers.

Christoph, to fix this, can we make the code here https://dxr.mozilla.org/mozilla-central/rev/c50f5f846c2e6b4c8da1e80b6790926ad84c3450/dom/security/nsCSPService.cpp#93-100 check if the content type is style or image (or maybe XBL) and not return in that case? That seems like it might help and wouldn't reduce the effectiveness of the fix in the other bug...

Comment 14

[:Gijs (he/him)]

So something like this: https://pastebin.mozilla.org/9078871

(can't test right now, will be able to in about 4 hours)

Comment 15

[Gingerbread Man]

(In reply to andrei from comment #11)
> Is there any workaround? Can I disable CSP for some domains?

1. https://addons.mozilla.org/firefox/addon/header-editor/
2. Click the Header Editor toolbar button.
3. Click the (+) Add button.
4.
Name: something descriptive, e.g. CSP override
Rule type: Modify the response header
Match type: Regular expression
Match rules: https?:\/\/.*\.federatenow.com\/.*\.xml
Execute type: normal
Header name: Content-Security-Policy
Header value: default-src 'none'; block-all-mixed-content; base-uri 'self'; script-src 'self'; form-action http: https:; connect-src 'self'; style-src 'self' chrome:; font-src 'self' data:; img-src 'self' data:;
5. Click the floppy diskette icon in the top right to save the new rule.

Comment 16

[Christoph Kerschbaumer [:ckerschb]]

Attachment: bug_1439444_except_img_css_from_csp.patch

How about that?

Comment 17

[Christoph Kerschbaumer [:ckerschb]]

I think this bug also fixes Bug 1439964.

Comment 18

[Christoph Kerschbaumer [:ckerschb]]

Attachment: bug_1439444_except_img_css_from_csp.patch

Slight tweak to the previous patch - here we go.

Comment 19

[:Gijs (he/him)]

Comment on attachment 8955105 [details] [diff] [review]
bug_1439444_except_img_css_from_csp.patch

Review of attachment 8955105 [details] [diff] [review]:
-----------------------------------------------------------------

Yep, tested and this seems to work both here and for the image case. Thanks!

Comment 20

[Pulsebot]

Pushed by mozilla@christophkerschbaumer.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/93507e0f2d3d
resource and chrome images and styles should not be subject to CSP. r=gijs

Comment 21

[Dorel Luca [:dluca]]

https://hg.mozilla.org/mozilla-central/rev/93507e0f2d3d

Comment 23

[Andrei Petcu]

It works! Thank you!

Comment 24

[Daniel_A[:daschilean] [Please contact - liviu.seplecan@softvision.ro]]

I verified this issue on Mac OS X 10.12, Ubuntu 16.04, Windows 10 with FF Nightly 61.0a1(2018-03-12) and I can't reproduce this issue anymore. I also verified this issue on Nightly 60.0a1(2018-02-19) and I was able to reproduce it. Based on the the results mentioned above, I will mark this as verified fixed.