Closed Bug 1469150 Opened 2 years ago Closed 2 years ago

CSP: Scripts with valid nonce get blocked if URL redirects

Categories

(Core :: DOM: Security, defect, P1)

60 Branch
defect

Tracking

()

RESOLVED FIXED
mozilla62
Tracking Status
firefox62 --- fixed

People

(Reporter: lwe, Assigned: vinoth, Mentored)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-active])

Attachments

(2 files)

Firefox's CSP implementation blocks dynamically created script tags (scripts created via document.createElement) with a valid nonce if the URL redirects.
Since the created script has a valid nonce it should execute (script gets executed in Chrome).
Because of this bug, sites setting a nonce-based CSP (without strict-dynamic) randomly break in Firefox if some of their scripts are behind redirects.

Code to reproduce in Firefox:
<!DOCTYPE html>
<html>
<head>
  <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abcd1234'">
</head>
<body>
  <script nonce='abcd1234'>
    var s = document.createElement('script');
    s.setAttribute('nonce', 'abcd1234');
    s.src = 'https://goo.gl/jEH8zk';  // 301 redirect.
    document.head.appendChild(s);     // Blocked by CSP in FF because of redirect.
  </script>
</body>
</html>


Preview
https://gist.github.com/lweichselbaum/9c8e32c592889ffc2f103fce9d45eaea

http://gist-preview.herokuapp.com/preview?gist_url=https%3A%2F%2Fgist.githubusercontent.com%2Flweichselbaum%2F9c8e32c592889ffc2f103fce9d45eaea%2Fraw%2F505ed8c472a805c70cd05059206dd5f91c9a06ce%2FFF_CSP_BUG.html
Turns out that normally sourced scripts are affected as well:

<html>
<head>
  <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abcd1234'">
</head>
<body>
  <script nonce='abcd1234' src='https://goo.gl/jEH8zk'></script>  
</body>
</html>

The script gets blocked in Firefox.
This is actually a big problem for nonce-only CSPs.
Adding 'strict-dynamic' to the CSP makes it work again, which actually should only apply to dynamically created scripts.
Turns out that normally sourced scripts are affected as well:

<html>
<head>
  <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abcd1234'">
</head>
<body>
  <script nonce='abcd1234' src='https://goo.gl/jEH8zk'></script>  
</body>
</html>

The script gets blocked in Firefox.
This is actually a big problem for nonce-only CSPs.
Adding 'strict-dynamic' to the CSP makes it work again, which actually should only apply to dynamically created scripts.
Summary: CSP: Dynamically created script with valid nonce gets blocked if URL redirects → CSP: Scripts with valid nonce get blocked if URL redirects
Component: Security → DOM: Security
Product: Firefox → Core
Christoph says Vino could take a look.
Assignee: nobody → cegvinoth
Blocks: csp-w3c-2
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P1
Whiteboard: [domsecurity-active]
Comment on attachment 8986335 [details]
Bug 1469150 - CSP: Scripts with valid nonce get blocked if URL redirects is fixed

For redirects, in AsyncOnChannelRedirect() requestContext parameter was nullptr previously. Hence element nonce was not fetched in nsCSPContext.cpp,
https://dxr.mozilla.org/mozilla-central/rev/75a32b57132f8cba42779555662a057a0416a313/dom/security/nsCSPContext.cpp#192

Now fixed this by passing the requestContext parameter from nsCSPService.
Attachment #8986335 - Flags: review?(ckerschb)
Comment on attachment 8986349 [details]
Bug 1469150 - Tests added to check scripts with valid nonce is allowed if URL redirects.

Test files added to check scripts with valid nonce is allowed if URL is redirected.
Attachment #8986349 - Flags: review?(ckerschb)
Comment on attachment 8986349 [details]
Bug 1469150 - Tests added to check scripts with valid nonce is allowed if URL redirects.

Christoph Kerschbaumer [:ckerschb] has approved the revision.

https://phabricator.services.mozilla.com/D1721
Attachment #8986349 - Flags: review+
Attachment #8986335 - Flags: review?(ckerschb)
Attachment #8986349 - Flags: review?(ckerschb)
Comment on attachment 8986335 [details]
Bug 1469150 - CSP: Scripts with valid nonce get blocked if URL redirects is fixed

I have made the requested changes. Please review the patch and let me know if changes are needed.
Attachment #8986335 - Flags: review?(ckerschb)
Comment on attachment 8986335 [details]
Bug 1469150 - CSP: Scripts with valid nonce get blocked if URL redirects is fixed

Christoph Kerschbaumer [:ckerschb] has approved the revision.

https://phabricator.services.mozilla.com/D1720
Attachment #8986335 - Flags: review+
Attachment #8986335 - Flags: review?(ckerschb)
Keywords: checkin-needed
Thank you for fixing so quickly.

What is the first major version which will have this fix? (Need this info to update Google's CSP gears).
Pushed by archaeopteryx@coole-files.de:
https://hg.mozilla.org/integration/mozilla-inbound/rev/4b1d446faee6
CSP: Scripts with valid nonce get blocked if URL redirects is fixed r=ckerschb
https://hg.mozilla.org/integration/mozilla-inbound/rev/ce98fd40ce82
Tests added to check scripts with valid nonce is allowed if URL redirects. r=ckerschb
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/4b1d446faee6
https://hg.mozilla.org/mozilla-central/rev/ce98fd40ce82
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
(In reply to Michele Spagnuolo from comment #11)
> Thank you for fixing so quickly.
> 
> What is the first major version which will have this fix? (Need this info to
> update Google's CSP gears).

Firefox 62 is the major version targeted for this fix.
You need to log in before you can comment on or make changes to this bug.