Open
Bug 1445643
Opened 7 years ago
Updated 2 years ago
Extension triggers CSP violation on base-uri directive
Categories
(Core :: DOM: Security, defect, P3)
Tracking
()
NEW
People
(Reporter: dante3333, Unassigned)
Details
(Whiteboard: [domsecurity-active])
Attachments
(1 file)
|
72.80 KB,
image/jpeg
|
Details |
Snapshot
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Build ID: 20180310025718
Steps to reproduce:
I've used webextension WCAG Contrast Checker on one of my website https://van11y.net/ (this one has CSP directives enabled,
Actual results:
2 things:
- Extension is not loading CSS (?).
- It triggered a CSP violation:
```
{
"csp-report": {
"blocked-uri": "moz-extension",
"document-uri": "https://van11y.net/fr/",
"original-policy": "default-src 'none'; script-src https://van11y.net; style-src https://van11y.net; img-src https://van11y.net; font-src https://van11y.net; connect-src https://van11y.net; child-src https://van11y.net; frame-ancestors https://van11y.net; manifest-src https://van11y.net; worker-src https://van11y.net; base-uri 'none'; form-action 'none'; report-uri https://van11y.net/csp-parser.php",
"referrer": "https://van11y.net/",
"violated-directive": "base-uri"
}
}
```
Expected results:
WebExtension should not trigger CSP base-uri violation. (maybe an exception to add, related to https://bugzilla.mozilla.org/show_bug.cgi?id=1415352 ?)
|
||
Comment 1•7 years ago
|
||
The extension is https://addons.mozilla.org/fr/firefox/addon/wcag-contrast-checker/.
|
|
||
Comment 2•7 years ago
|
||
I believe this belongs to DOM::Security
Component: Untriaged → DOM: Security
Product: Firefox → Core
|
Reporter | |
Comment 3•7 years ago
|
||
Just to complete: I've tested it on another website without base-uri directive specified (example: https://a11y.nicolas-hoffmann.net/) no problem.
Other website with base-uri directive enabled (https://rocssti.net/) gives the same issue.
|
||
Comment 4•7 years ago
|
||
same issue with https://addons.mozilla.org/fr/firefox/addon/headingsmap/ (same creator)
Firefox 58.0.2, 59.0 and 61.0a1 (2018-03-14)
source code on Github
|
|
||
Comment 5•7 years ago
|
||
Same issue with HeadingsMap (same creator) https://addons.mozilla.org/fr/firefox/addon/headingsmap/
Firefox 58.0.2, 59.0 and 61.0a1 (2018-03-14)
These extensions seem to add an iframe to the HTML page with a BASE tag.
source code on Github.
|
|
||
Comment 6•7 years ago
|
||
A link to the github repository would have been useful :-) I finally found them:
* https://github.com/rumoroso/colorChecker
* https://github.com/rumoroso/headingsMap
(I haven't thought of checking the author's name on github before...)
|
|
Reporter | |
Comment 7•7 years ago
|
||
(In reply to Julien Wajsberg [:julienw] from comment #6)
> (I haven't thought of checking the author's name on github before...)
Neither do I :)
|
||
Comment 8•7 years ago
|
||
I haven't evaluated this bug precisely, but the fact that subjectToCSP(uri) is only consulted within nsCSPSErvice::Shouldload() might be the problem here. The callsite into CSP for evaluating the base-uri directive within CSP is here [1]. Probably we should slightly refactor that. Maybe it's only just a problem for moz-extension and we can just whitelist moz-extension. Anyway, we need to take a closer look and fix that.
[1] https://dxr.mozilla.org/mozilla-central/source/dom/html/HTMLSharedElement.cpp#159
|
|
||
Updated•7 years ago
|
Assignee: nobody → cegvinoth
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P2
Whiteboard: [domsecurity-active]
|
||
Updated•6 years ago
|
Assignee: cegvinoth → nobody
Priority: P2 → P3
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•