Closed Bug 1444582 Opened 7 years ago Closed 7 years ago

CSP triggered on valid hash

Categories

(Core :: DOM: Security, defect, P2)

Product:
Core
Component:
DOM: Security
Version:
58 Branch
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1409200

People

(Reporter: reina, Assigned: ckerschb)

Details

(Whiteboard: [parity-chrome][domsecurity-active])

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0 Build ID: 20180206200532 Steps to reproduce: Configuration : CSP : Header set Content-Security-Policy "default-src https: ; script-src 'self' 'unsafe-eval' 'sha256-IBxdh4ZQKFbJL5iGyQLQAbPXUQstR+3Ud8YqFXzZXW8=' d3js.org/d3.v3.min.js ajax.googleapis.com/ajax/libs/angularjs/1.6.7/angular.min.js 'sha384-KJ3o2DKtIkvYIK3UENzmM7KCkRr/rE9/Qpg6aAZGJwFDMVNA/GpGFF93hXpG5KkN' 'sha384-ApNbgh9B+Y1QKtv3Rn7W3mgPxhU9K/ScQsAP7hUibX39j7fakFPskvXusvfa0b4Q' 'sha384-JZR6Spejh4U02d8jOt6vLEHfe/JQGiRRSQQxSfFWpi1MquVdAyjUar5+76PVCmYl' ; style-src maxcdn.bootstrapcdn.com 'self'; img-src * data:" Log : Content Security Policy: Les paramètres de la page ont empêché le chargement d’une ressource à https://code.jquery.com/jquery-3.2.1.slim.min.js (« script-src https://www.laviedalex.ovh 'unsafe-eval' 'sha256-IBxdh4ZQKFbJL5iGyQLQAbPXUQstR+3Ud8YqFXzZXW8=' https://d3js.org/d3.v3.min.js https://ajax.googleapis.com/ajax/libs/angularjs/1.6.7/angular.min.js 'sha384-KJ3o2DKtIkvYIK3UENzmM7KCkRr/rE9/Qpg6aAZGJwFDMVNA/GpGFF93hXpG5KkN' 'sha384-ApNbgh9B+Y1QKtv3Rn7W3mgPxhU9K/ScQsAP7hUibX39j7fakFPskvXusvfa0b4Q' 'sha384-JZR6Spejh4U02d8jOt6vLEHfe/JQGiRRSQQxSfFWpi1MquVdAyjUar5+76PVCmYl' »). Content Security Policy: Les paramètres de la page ont empêché le chargement d’une ressource à https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.js (« script-src https://www.laviedalex.ovh 'unsafe-eval' 'sha256-IBxdh4ZQKFbJL5iGyQLQAbPXUQstR+3Ud8YqFXzZXW8=' https://d3js.org/d3.v3.min.js https://ajax.googleapis.com/ajax/libs/angularjs/1.6.7/angular.min.js 'sha384-KJ3o2DKtIkvYIK3UENzmM7KCkRr/rE9/Qpg6aAZGJwFDMVNA/GpGFF93hXpG5KkN' 'sha384-ApNbgh9B+Y1QKtv3Rn7W3mgPxhU9K/ScQsAP7hUibX39j7fakFPskvXusvfa0b4Q' 'sha384-JZR6Spejh4U02d8jOt6vLEHfe/JQGiRRSQQxSfFWpi1MquVdAyjUar5+76PVCmYl' »). Content Security Policy: Les paramètres de la page ont empêché le chargement d’une ressource à https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js (« script-src https://www.laviedalex.ovh 'unsafe-eval' 'sha256-IBxdh4ZQKFbJL5iGyQLQAbPXUQstR+3Ud8YqFXzZXW8=' https://d3js.org/d3.v3.min.js https://ajax.googleapis.com/ajax/libs/angularjs/1.6.7/angular.min.js 'sha384-KJ3o2DKtIkvYIK3UENzmM7KCkRr/rE9/Qpg6aAZGJwFDMVNA/GpGFF93hXpG5KkN' 'sha384-ApNbgh9B+Y1QKtv3Rn7W3mgPxhU9K/ScQsAP7hUibX39j7fakFPskvXusvfa0b4Q' 'sha384-JZR6Spejh4U02d8jOt6vLEHfe/JQGiRRSQQxSfFWpi1MquVdAyjUar5+76PVCmYl' »). HTML : <script src="https://code.jquery.com/jquery-3.2.1.slim.min.js" integrity="sha384-KJ3o2DKtIkvYIK3UENzmM7KCkRr/rE9/Qpg6aAZGJwFDMVNA/GpGFF93hXpG5KkN" crossorigin="anonymous"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.js" integrity="sha384-ApNbgh9B+Y1QKtv3Rn7W3mgPxhU9K/ScQsAP7hUibX39j7fakFPskvXusvfa0b4Q" crossorigin="anonymous"></script> <script src="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js" integrity="sha384-JZR6Spejh4U02d8jOt6vLEHfe/JQGiRRSQQxSfFWpi1MquVdAyjUar5+76PVCmYl" crossorigin="anonymous"></script> Actual results: Error triggered and content blocked. Expected results: No erreur, content loaded. It's OK in Chrome but not in Firefox
Component: Untriaged → DOM: Security
OS: Unspecified → All
Product: Firefox → Core
Hardware: Unspecified → All
Whiteboard: [parity-chrome]
It seems valid, but I need to take a closer look to actually figure out what's going on.
Assignee: nobody → ckerschb
Priority: -- → P2
Whiteboard: [parity-chrome] → [parity-chrome][domsecurity-active]
Freddy, you have done a lot on our hash comparison. Any chance you could take a look at this problem?
Flags: needinfo?(fbraun)
FWIW, I only wrote the SRI spec. The code was from Francois. Having looked at the pure script tags, a document with just those works fine in Firefox. E.g., > data:text/html,<script src="https://code.jquery.com/jquery-3.2.1.slim.min.js" integrity="sha384-KJ3o2DKtIkvYIK3UENzmM7KCkRr/rE9/Qpg6aAZGJwFDMVNA/GpGFF93hXpG5KkN" crossorigin="anonymous"></script><script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.js" integrity="sha384-ApNbgh9B+Y1QKtv3Rn7W3mgPxhU9K/ScQsAP7hUibX39j7fakFPskvXusvfa0b4Q" crossorigin="anonymous"></script><script src="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js" integrity="sha384-JZR6Spejh4U02d8jOt6vLEHfe/JQGiRRSQQxSfFWpi1MquVdAyjUar5+76PVCmYl" crossorigin="anonymous"></script> So this is likely a problem with the CSP, not about SRI. Can you share a website with this config? I don't speak French :)
Flags: needinfo?(fbraun) → needinfo?(gratusfr)
Hello. Of course ! The website https://www.laviedalex.ovh/ have this configuration. It's the usual error for CSP. "page's parameters prevent the loading of ressource XXX (CSP rules)". Firefox allow the loading if we use the URL instead ("script-src 'self' 'unsafe-eval' 'sha256-IBxdh4ZQKFbJL5iGyQLQAbPXUQstR+3Ud8YqFXzZXW8=' d3js.org/d3.v3.min.js ajax.googleapis.com/ajax/libs/angularjs/1.6.7/angular.min.js https://code.jquery.com/jquery-3.2.1.slim.min.js https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.js https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js ;" is OK.
Flags: needinfo?(gratusfr)
Ah. I should have spotted this much earlier. We even have a duplicate for this: You are whitelisting *external* JavaScript with hashes. This is still work-in-progress for CSP3 and not specified normatively (https://www.w3.org/TR/CSP/#external-hash). Work on this CSP3 feature is already tracked in bug 1409200 (but not actively moving, afaiu).
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
For your websites, this means you'll have to use a different CSP :/ I think you could either whitelist the specific scripts via nonce (with strict-dynamic?) or whitelist the whole CDN host names (which is probably opening some attack vectors)
Thanks for the response. All the documentation I found doesn't talk about restrictions on external JS. We can whitelist an entire URL and the navigator check the integrity in <script>, so it doesn't open attack vector finally.
You need to log in before you can comment on or make changes to this bug.