Closed Bug 1469150 Opened 7 years ago Closed 7 years ago

CSP: Scripts with valid nonce get blocked if URL redirects

Categories

(Core :: DOM: Security, defect, P1)

Product:
Core
Component:
DOM: Security
Version:
60 Branch
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla62
Tracking Flags:
Tracking Status
firefox62 --- fixed

People

(Reporter: lwe, Assigned: vinoth, Mentored)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-active])

Attachments

(2 files)

Bug 1469150 - CSP: Scripts with valid nonce get blocked if URL redirects is fixed
46 bytes, text/x-phabricator-request
ckerschb
: review+
Details | Review
Bug 1469150 - Tests added to check scripts with valid nonce is allowed if URL redirects.
46 bytes, text/x-phabricator-request
ckerschb
: review+
Details | Review
Firefox's CSP implementation blocks dynamically created script tags (scripts created via document.createElement) with a valid nonce if the URL redirects. Since the created script has a valid nonce it should execute (script gets executed in Chrome). Because of this bug, sites setting a nonce-based CSP (without strict-dynamic) randomly break in Firefox if some of their scripts are behind redirects. Code to reproduce in Firefox: <!DOCTYPE html> <html> <head> <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abcd1234'"> </head> <body> <script nonce='abcd1234'> var s = document.createElement('script'); s.setAttribute('nonce', 'abcd1234'); s.src = 'https://goo.gl/jEH8zk'; // 301 redirect. document.head.appendChild(s); // Blocked by CSP in FF because of redirect. </script> </body> </html> Preview https://gist.github.com/lweichselbaum/9c8e32c592889ffc2f103fce9d45eaea http://gist-preview.herokuapp.com/preview?gist_url=https%3A%2F%2Fgist.githubusercontent.com%2Flweichselbaum%2F9c8e32c592889ffc2f103fce9d45eaea%2Fraw%2F505ed8c472a805c70cd05059206dd5f91c9a06ce%2FFF_CSP_BUG.html
Turns out that normally sourced scripts are affected as well: <html> <head> <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abcd1234'"> </head> <body> <script nonce='abcd1234' src='https://goo.gl/jEH8zk'></script> </body> </html> The script gets blocked in Firefox. This is actually a big problem for nonce-only CSPs. Adding 'strict-dynamic' to the CSP makes it work again, which actually should only apply to dynamically created scripts.
Turns out that normally sourced scripts are affected as well: <html> <head> <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abcd1234'"> </head> <body> <script nonce='abcd1234' src='https://goo.gl/jEH8zk'></script> </body> </html> The script gets blocked in Firefox. This is actually a big problem for nonce-only CSPs. Adding 'strict-dynamic' to the CSP makes it work again, which actually should only apply to dynamically created scripts.
Summary: CSP: Dynamically created script with valid nonce gets blocked if URL redirects → CSP: Scripts with valid nonce get blocked if URL redirects
Component: Security → DOM: Security
Product: Firefox → Core
Christoph says Vino could take a look.
Assignee: nobody → cegvinoth
Blocks: csp-w3c-2
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P1
Whiteboard: [domsecurity-active]
Comment on attachment 8986335 [details] Bug 1469150 - CSP: Scripts with valid nonce get blocked if URL redirects is fixed For redirects, in AsyncOnChannelRedirect() requestContext parameter was nullptr previously. Hence element nonce was not fetched in nsCSPContext.cpp, https://dxr.mozilla.org/mozilla-central/rev/75a32b57132f8cba42779555662a057a0416a313/dom/security/nsCSPContext.cpp#192 Now fixed this by passing the requestContext parameter from nsCSPService.
Attachment #8986335 - Flags: review?(ckerschb)
Comment on attachment 8986349 [details] Bug 1469150 - Tests added to check scripts with valid nonce is allowed if URL redirects. Test files added to check scripts with valid nonce is allowed if URL is redirected.
Attachment #8986349 - Flags: review?(ckerschb)
Comment on attachment 8986349 [details] Bug 1469150 - Tests added to check scripts with valid nonce is allowed if URL redirects. Christoph Kerschbaumer [:ckerschb] has approved the revision. https://phabricator.services.mozilla.com/D1721
Attachment #8986349 - Flags: review+
Attachment #8986335 - Flags: review?(ckerschb)
Attachment #8986349 - Flags: review?(ckerschb)
Comment on attachment 8986335 [details] Bug 1469150 - CSP: Scripts with valid nonce get blocked if URL redirects is fixed I have made the requested changes. Please review the patch and let me know if changes are needed.
Attachment #8986335 - Flags: review?(ckerschb)
Comment on attachment 8986335 [details] Bug 1469150 - CSP: Scripts with valid nonce get blocked if URL redirects is fixed Christoph Kerschbaumer [:ckerschb] has approved the revision. https://phabricator.services.mozilla.com/D1720
Attachment #8986335 - Flags: review+
Attachment #8986335 - Flags: review?(ckerschb)
Keywords: checkin-needed
Thank you for fixing so quickly. What is the first major version which will have this fix? (Need this info to update Google's CSP gears).
Pushed by archaeopteryx@coole-files.de: https://hg.mozilla.org/integration/mozilla-inbound/rev/4b1d446faee6 CSP: Scripts with valid nonce get blocked if URL redirects is fixed r=ckerschb https://hg.mozilla.org/integration/mozilla-inbound/rev/ce98fd40ce82 Tests added to check scripts with valid nonce is allowed if URL redirects. r=ckerschb
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/4b1d446faee6 https://hg.mozilla.org/mozilla-central/rev/ce98fd40ce82
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox62: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
(In reply to Michele Spagnuolo from comment #11) > Thank you for fixing so quickly. > > What is the first major version which will have this fix? (Need this info to > update Google's CSP gears). Firefox 62 is the major version targeted for this fix.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: