Closed
Bug 1453283
Opened 8 years ago
Closed 8 years ago
Firefox sending CSP report with resources from from another tab/window
Categories
(Core :: DOM: Security, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1420680
People
(Reporter: mich, Unassigned)
Details
Attachments
(1 file)
|
446.96 KB,
image/png
|
Details |
Screenshot_2018-04-11_13_04_02.png
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:59.0) Gecko/20100101 Firefox/59.0
Build ID: 20180323154952
Steps to reproduce:
I have several tabs open - when visiting my website www.prodnet.eu (which has CSP-enforce enabled) - it sends a report for resources in a completely different tab (than the one I have www.prodnet.eu open in) - see screenshot.
It's not so simply to reproduce - I've tried disabling all extensions, and refreshing the page, and the report is still send off - I've also tried to close all windows/tabs - and I still get the CSP error.
Closing the browser, and restarting - and the error is gone - enabling each extension one by one, cannot reproduce the error.. even restoring all the old tabs will not reproduce. But after a little while (10-15 minutes) the CSP error will re-occur.
I have the following extensions installed:
https://www.dropbox.com/s/tv4wr5u0oxu6mpr/Screenshot%202018-04-11%2012.05.27.png?dl=0
Actual results:
Erroneous CSP reports are sent to report-uri
Expected results:
No reports should be sent. If I visit my site with Safari or Chrome - no reports are sent.
|
||
Comment 1•8 years ago
|
||
I think this is related to the "Persist Logs" feature. I can reproduce the reported bug only when checking "Persist Logs" in one of the tabs. Moving to DevTools because I could reproduce it with any logs, not just CSP errors.
I don't really think this is a security issue, but I'd like to wait for other people to confirm before opening this up...
Component: Untriaged → Developer Tools: Console
Even with "Persist Logs" enabled, it should not trigger a (false) CSP report with elements completely unrelated to current site.
|
||
Comment 3•8 years ago
|
||
If a page is dispatching a CSP report that contains information about resources being loaded in a separate tab I'd say this was absolutely a security issue.
|
|
||
Comment 4•8 years ago
|
||
Do you actually get the report or do you just see the log?
|
|
||
Comment 6•8 years ago
|
||
Ah, right, sorry, I assumed this was only about the console messages. I might have been on the wrong track about "Persist Logs", as well... I can reproduce this for CSP messages without "Persist Logs" easily. Thanks for reporting this!
Let's move it to Security. Chris, can you take a look?
Group: firefox-core-security → core-security
Status: UNCONFIRMED → NEW
Component: Developer Tools: Console → Security
Ever confirmed: true
Flags: needinfo?(ckerschb)
Product: Firefox → Core
|
|
||
Comment 7•8 years ago
|
||
Johann, do you have some reliable repro steps? I'm struggling to debug this.
For context, I run https://report-uri.com and I'm wondering if there's any way I can identify these reports. We may be able to do something like discard them if there's a problem.
|
|
||
Comment 8•8 years ago
|
||
Ah, damn, turns out I can't reproduce it and now I know why I was getting other duplicate messages in some tabs. I was running an add-on from previous testing which was injecting the same faulty, CSP-triggering code on two pages. :|
Sorry for adding confusion here. It would be very interesting to get some STR...
|
||
Comment 9•8 years ago
|
||
This is a duplicate of a public servo bug. I don't actually think that discusses sending the reports though.
Essentially the issue is with web fonts and multiple windows. I will find the dupe tomorrow, we might want to keep this open though.
|
||
Comment 10•8 years ago
|
||
(In reply to Jonathan Kingston [:jkt] from comment #9)
> This is a duplicate of a public servo bug.
I have seen a similar issue within Bug 1384741 before as well which was related to stylo which I think was caused by some caching problem for fonts (see Bug 1406474). Is the problem of wrong CSP reports happening only for fonts? Given comment 5 it might be.
Also given that the two bugs were fixed for FF57 and FF58 respectively might indicate that we potentially are still missing something.
Flags: needinfo?(ckerschb)
|
|
||
Comment 11•8 years ago
|
||
I think this might have been resolved in https://bugzilla.mozilla.org/show_bug.cgi?id=1420680 however we should verify this.
|
Reporter | |
Comment 12•8 years ago
|
||
Yes, so far I only get the reports for "font-src"
|
||
Comment 13•8 years ago
|
||
(In reply to Jonathan Kingston [:jkt] from comment #11)
> I think this might have been resolved in
> https://bugzilla.mozilla.org/show_bug.cgi?id=1420680 however we should
> verify this.
Emilio can you help us verify that the fix you created for bug 1420680 should fix this here as well?
Maybe we want the other bug uplifted?
(In reply to Scott Helme from comment #7)
> Johann, do you have some reliable repro steps? I'm struggling to debug this.
>
> For context, I run https://report-uri.com and I'm wondering if there's any
> way I can identify these reports. We may be able to do something like
> discard them if there's a problem.
Scott, I think this might just be a problem about
Flags: needinfo?(emilio)
|
||
Updated•8 years ago
|
Component: Security → DOM: Security
|
|
||
Updated•8 years ago
|
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
|
|
||
Updated•5 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•