Open Bug 1455663 Opened 7 years ago Updated 2 years ago

CSP reports are sent after using the Developer Tools Inspector

Categories

(DevTools :: Inspector, defect, P3)

Product:
DevTools
Component:
Inspector
Version:
59 Branch
Type:
defect

Tracking

(Not tracked)

Status:
REOPENED

People

(Reporter: bugzilla, Unassigned)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

report-uri.png
98.55 KB, image/png
Details
Attached image report-uri.png
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36 Steps to reproduce: 1. Create a page that has a CSP enforced and does not allow inline scripts or styles. 2. Visit the page. 3. Open the Developer Tools. 4. Reload the page. 5. Observe the Network tab. It's worth noting that no CSP violations appear in the console yet the CSP reports are sent in the Network tab, screenshots of both attached. I've also created a video to demo the bug: https://youtu.be/vexkLkPrfWw Actual results: CSP reports are sent when they shouldn't be. Expected results: These CSP reports should not be sent.
Ok, I thought I'd attached multiple screenshots but it only seemed to do one of them. I can't add the others either.
Do you have an example link? http://csp-attacker.com/first-party.php redirects to http://www.csp-attacker.com/first-party.php which results in a Server Not Found error. Can you reproduce the issue in the latest Nightly in a brand new profile? https://nightly.mozilla.org https://support.mozilla.org/kb/profile-manager-create-and-remove-firefox-profiles
Component: Untriaged → DOM: Security
Product: Firefox → Core
Oh those links won't work publicly, I'm resolving them locally for testing purposes. I was actually trying to repro another bug to raise that and found this one too. I've just installed Nightly and can reliably repro the issue in a new profile, screenshot: https://imgur.com/a/JLcexX2 The PHP for the page I'm visiting: <?php header('Content-Security-Policy: default-src \'self\'; report-uri https://scotthelme.report-uri.com/r/d/csp/enforce'); ?> <html> Nothing to see here... </html>
I wonder if some devtools context is inheriting the CSP from content?
Flags: needinfo?(bgrinstead)
There are some known CSP issues in DevTools, such as style edits being blocked (bug 1391994), but in this bug it appears the Inspector is not used, so this may be separate.
(In reply to Daniel Veditz [:dveditz] from comment #4) > I wonder if some devtools context is inheriting the CSP from content? I'm not sure I understand - from the description it sounds like the problem is that Firefox is sending CSP error reports when it shouldn't be. Or is it that the netmonitor is incorrectly showing CSP error reports when they aren't being sent?
Flags: needinfo?(bgrinstead) → needinfo?(dveditz)
Given the page's CSP and the contents of the page there should be no error reports sent, and they aren't when the page is loaded. When DevTools is open Firefox sends multiple error reports. The attached screenshot of Scott's domain shows these errors are in fact being delivered to his error reporting site. What does DevTools do when it's open that could cause this? Either DevTools is injecting content into the open page or DevTools is inheriting the page's CSP somehow. Both of those would be bad--especially the second since DevTools should have its own CSP and the page's CSP could break DevTools. From the errors some of it looks like inline style attributes, and for some reason a load of http://example.com. I can't find anything in searchfox.org that looks like it would inject a reference to example.com except in GCLI (as a referrer) which wouldn't come into play here.
Flags: needinfo?(dveditz) → needinfo?(bgrinstead)
Christoph: do you have any idea what's going on here?
Flags: needinfo?(ckerschb)
(In reply to Brian Grinstead [:bgrins] from comment #6) > I'm not sure I understand - from the description it sounds like the problem > is that Firefox is sending CSP error reports when it shouldn't be. Or is it > that the netmonitor is incorrectly showing CSP error reports when they > aren't being sent? The problem is the following: * When visiting a CSP compliant page that ships with a policy which restricts inline scripts and styles; then no errors are displayed in the console - which is expected behavior. * When opening the network monitor and reloading the page, you see in the network monitor that CSP errors are send to the defined report-uri which indicates that Devtools is either incorrectly inheriting the CSP or injects content in the page. I set up a testpage [1] using: > script-src 'none'; report-uri https://www.christophkerschbaumer.com/report.php but it seems I still can't reproduce the problem. There are no errors in the console (I know that is expected) but I also don't see any errors in the Network panel either. Would be curious to know what the problem is. Scott, is your setup different from mine? [1] https://www.christophkerschbaumer.com/test/csp_incorrect_devtools.html
Flags: needinfo?(ckerschb) → needinfo?(scotthelme)
The Inspector injects elements into the page to highlight things, so potentially that's affecting things, even though we aren't using it directly...? Christoph, it looks like Scott used `default-src` instead. Does that version trigger reports? Looking at Scott's report image, it seems like style changes like `position: absolute` are triggering this, so maybe `style-src` is the minimal version needed.
Flags: needinfo?(ckerschb)
(In reply to J. Ryan Stinnett [:jryans] (use ni?) from comment #10) > Christoph, it looks like Scott used `default-src` instead. Does that > version trigger reports? Looking at Scott's report image, it seems like > style changes like `position: absolute` are triggering this, so maybe > `style-src` is the minimal version needed. Unfortunately also using > script-src 'none'; style-src 'none'; report-uri https://www.christophkerschbaumer.com/report.php as the CSP does not allow me to reproduce the problem. (FWIW, I also tried default-src, no difference).
Flags: needinfo?(ckerschb)
Scott: in addition to trying Christoph's link (comment 9), what exact versions of Firefox did you test? The Chrome version in comment 0 doesn't help us :-)
What, you can't figure out this bug in Firefox with a Chrome version number? ;-) I'm on the road for a couple of weeks now so I can't get access to my desktop PC where I raised this. I'm generally always careful to update to the latest version, especially when raising bugs, so it was most likely latest at the time. Let me see if I can get someone to repro and post the version.
Just installed it on my Mac, can repro here. https://imgur.com/a/uaClCGO
Flags: needinfo?(scotthelme)
I updated to latest too. https://imgur.com/a/b3wqYiI
(In reply to Christoph Kerschbaumer [:ckerschb] from comment #9) > (In reply to Brian Grinstead [:bgrins] from comment #6) > > I'm not sure I understand - from the description it sounds like the problem > > is that Firefox is sending CSP error reports when it shouldn't be. Or is it > > that the netmonitor is incorrectly showing CSP error reports when they > > aren't being sent? > > The problem is the following: > * When visiting a CSP compliant page that ships with a policy which > restricts inline scripts and styles; then no errors are displayed in the > console - which is expected behavior. > * When opening the network monitor and reloading the page, you see in the > network monitor that CSP errors are send to the defined report-uri which > indicates that Devtools is either incorrectly inheriting the CSP or injects > content in the page. > > I set up a testpage [1] using: > > script-src 'none'; report-uri https://www.christophkerschbaumer.com/report.php > but it seems I still can't reproduce the problem. There are no errors in the > console (I know that is expected) but I also don't see any errors in the > Network panel either. > > Would be curious to know what the problem is. > > Scott, is your setup different from mine? > > [1] https://www.christophkerschbaumer.com/test/csp_incorrect_devtools.html I can repro with the exact same steps on your site: https://imgur.com/a/ar9DU0D
(In reply to Brian Grinstead [:bgrins] from comment #6) > (In reply to Daniel Veditz [:dveditz] from comment #4) > > I wonder if some devtools context is inheriting the CSP from content? > > I'm not sure I understand - from the description it sounds like the problem > is that Firefox is sending CSP error reports when it shouldn't be. Or is it > that the netmonitor is incorrectly showing CSP error reports when they > aren't being sent? They're definitely being sent, I'm picking up mine in my Report URI account. Also, in the example above, the ones from Christoph's site are also returning a 404 which seems right as the endpoint doesn't exist.
I've tested this on Firefox 59.0.2 and 60.0 with a clean profile, and my usual dev profile on Nightly 61 and 62. I do not see the network requests for CSP errors from Christoph's page. Have you tried a clean profile or "safe mode"? This could be from some extension you have installed because we can't reproduce it.
Flags: needinfo?(bgrinstead) → needinfo?(scotthelme)
If we get more information we can reopen the bug.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → WORKSFORME
I have a new laptop handy so I've installed Firefox and managed to repro it using the steps in OP on the first try: https://imgur.com/a/ZXlmP1X https://imgur.com/a/jmFbYda https://imgur.com/a/6ViJq7D I haven't signed in, so nothing should be synced, and I have no extensions installed as you can see in the screenshot. I also went and installed nightly and was able to repro there too: https://imgur.com/a/PKghxCI https://imgur.com/a/2jrUWln https://imgur.com/a/5iF6CrQ After that I created a new profile and reproduced the issue (I already did this in comment 3 above): https://imgur.com/a/YA9meGH https://imgur.com/a/3c5EZjC I made a quick screen record gif of the repro steps here: https://imgur.com/a/xF6ZYCy In all of these examples the reports were sent by the browser yet no errors appeared in the console, they only showed up in the network tab. From my side I can't think of anything more I can say/provide but if there's something specific you need, just let me know! The demo site in all the screenshots and gif above is available for you to use if you like, I will try to keep it online for a while: http://206.189.223.5/ I'm not sure if it's relevant but I have now reproduced this on Mac and Windows per my previous comments so it doesn't seem to be a particular platform at least. Can't think of anything else to add so I hope that's enough.
Flags: needinfo?(scotthelme) → needinfo?(dveditz)
Reproduces just fine here, Win10, x64, FF 60.1 x64, all add-ons disabled, no proxy(s). https://imgur.com/a/qchS5UK
(In reply to ronny tyink from comment #21) > Reproduces just fine here, Win10, x64, FF 60.1 x64, all add-ons disabled, no > proxy(s). > > https://imgur.com/a/qchS5UK That should be 60.0.1
Crowdsourcing some help and it seems it might matter how you get to the Inspector/Network tab: https://twitter.com/PCJ_PCJonathan/status/1001936672991346688 It seems you have to follow my method in the video and right click -> Inspect rather than any other method like F12. Perhaps that's related to you being able to repro @dveditz?
It took a couple of tries but now it also reproduces on this page https://www.christophkerschbaumer.com/test/csp_incorrect_devtools.html https://imgur.com/a/WdyVUsS
I can also reproduce this with F12, it needs the following steps: Open https://www.christophkerschbaumer.com/test/csp_incorrect_devtools.html. Press F12. Click on the 'pick an element from the page' Switch to network. Refresh. So it looks like the element picker is triggering this.
I just saw the update from Ronny come through above and was about to report the same after a comment on Twitter: https://twitter.com/0b10011/status/1001938998540029958 It seems the element inspector is causing this and I have a gif here to show how it only triggers after the "Pick an element from the page" overlay is activated: https://imgur.com/a/GSC4yot
I can see the reports as well (trying the steps in comment 25). This suggests to me that is related to how the Inspector interacts with the page.
Status: RESOLVED → REOPENED
Depends on: 1391994
Ever confirmed: true
Resolution: WORKSFORME → ---
Thanks for the updated steps: I can reproduce now! You don't need to use the context menu 'Inspect Element' but if you open DevTools another way you do need to switch to the Inspector tab and mouse over the syntax a bit so the highlight shows up. _THEN_ reloading sends off the error reports. We're apparently not able to determine the highlights elements were injected from extension/external content. We're complaining about the inline style defining the box, which is constructed dynamically from the actual page contents so it's not like we could provide a moz-extension: or chrome: style source for it. We should be able to poke individual values in the CSSOM without triggering "inline" detection though. As long as it's more "script" than parsing style text it should be allowed (if we can't figure out the running script context and fix it that way) Most of the error reports we send look incomplete. No "blocked-uri" as if it's complaining about something inline, but no inline context (like "script-sample") that I'd expect if that's the case. A whole bunch of useless reports, really. And more of them than there are elements on the original page. What's generating these? I think this is going to have to be addressed in DevTools to start with. It may ultimately require implementation changes or hooks in CSP if the CSSOM approach is impractical, but start there.
Component: DOM: Security → Developer Tools: Inspector
Flags: needinfo?(dveditz)
Product: Core → Firefox
Summary: CSP reports are sent after opening the Developer Tools → CSP reports are sent after using the Developer Tools Inspector
Nevermind some of my blather -- we're not triggering the CSP reports when the content is injected so we're obviously doing the initial highlight OK. Why is it still there and triggering CSP when we do a reload?
Product: Firefox → DevTools
(created a test page since I needed CSP examples anyways: https://firefox-devtools-csp.glitch.me/) > Nevermind some of my blather -- we're not triggering the CSP reports when the content is injected so we're obviously doing the initial highlight OK. Why is it still there and triggering CSP when we do a reload? It looks like it always throws 10 errors, no matter how many elements are being selected. Since the errors are sent during the next reload, could the CSP issues be triggered on unload? :gl do we have any teardown code for the highlighter?
Flags: needinfo?(gl)
@ckerschb So this issue is caused by `CanvasFrameAnonymousContentHelper`, which allows us to inject the DevTools highlighter into the document's canvasFrame anonymous content container. If a CSP restricts injection of scripts a violation message is sent to the CSP Report. I spoke with mgoodwin about this issue and he said that he thinks we need a source directive that would prevent the CSP violation being sent in this particular situation. What do you think we should do?
Flags: needinfo?(ckerschb)
(In reply to Mike Ratcliffe [:miker] [:mratcliffe] [:mikeratcliffe] from comment #31) > I spoke with mgoodwin about this issue and he said that he thinks we need a > source directive that would prevent the CSP violation being sent in this > particular situation. I am not sure I understand how that would work. Would we only use that directive internally? > What do you think we should do? If needed we can definitely find a fix for the specific problem reported in this bug. Overall, we are going to move the CSP from the Principal into the Client (within the loadinfo) over in Bug 965637. I am confident that the changes within Bug 965637 provide a broader solution to all the Devtools related problems with CSP we are facing.
Flags: needinfo?(ckerschb)
OS: Unspecified → All
Priority: -- → P3
Hardware: Unspecified → All
See Also: → 1478627

Clearing needinfo since it seems my needinfo was already addressed by miker in comment 31

Flags: needinfo?(gl)
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: