CSP: Scripts with valid nonce get blocked if URL redirects

RESOLVED FIXED in Firefox 62

Status

()

defect
P1
major
RESOLVED FIXED
Last year
4 months ago

People

(Reporter: lwe, Assigned: vinoth, Mentored)

Tracking

(Blocks 1 bug)

60 Branch
mozilla62
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox62 fixed)

Details

(Whiteboard: [domsecurity-active])

Attachments

(2 attachments)

Reporter

Description

Last year
Firefox's CSP implementation blocks dynamically created script tags (scripts created via document.createElement) with a valid nonce if the URL redirects.
Since the created script has a valid nonce it should execute (script gets executed in Chrome).
Because of this bug, sites setting a nonce-based CSP (without strict-dynamic) randomly break in Firefox if some of their scripts are behind redirects.

Code to reproduce in Firefox:
<!DOCTYPE html>
<html>
<head>
  <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abcd1234'">
</head>
<body>
  <script nonce='abcd1234'>
    var s = document.createElement('script');
    s.setAttribute('nonce', 'abcd1234');
    s.src = 'https://goo.gl/jEH8zk';  // 301 redirect.
    document.head.appendChild(s);     // Blocked by CSP in FF because of redirect.
  </script>
</body>
</html>


Preview
https://gist.github.com/lweichselbaum/9c8e32c592889ffc2f103fce9d45eaea

http://gist-preview.herokuapp.com/preview?gist_url=https%3A%2F%2Fgist.githubusercontent.com%2Flweichselbaum%2F9c8e32c592889ffc2f103fce9d45eaea%2Fraw%2F505ed8c472a805c70cd05059206dd5f91c9a06ce%2FFF_CSP_BUG.html
Reporter

Comment 1

Last year
Turns out that normally sourced scripts are affected as well:

<html>
<head>
  <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abcd1234'">
</head>
<body>
  <script nonce='abcd1234' src='https://goo.gl/jEH8zk'></script>  
</body>
</html>

The script gets blocked in Firefox.
This is actually a big problem for nonce-only CSPs.
Adding 'strict-dynamic' to the CSP makes it work again, which actually should only apply to dynamically created scripts.
Reporter

Comment 2

Last year
Turns out that normally sourced scripts are affected as well:

<html>
<head>
  <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abcd1234'">
</head>
<body>
  <script nonce='abcd1234' src='https://goo.gl/jEH8zk'></script>  
</body>
</html>

The script gets blocked in Firefox.
This is actually a big problem for nonce-only CSPs.
Adding 'strict-dynamic' to the CSP makes it work again, which actually should only apply to dynamically created scripts.
Summary: CSP: Dynamically created script with valid nonce gets blocked if URL redirects → CSP: Scripts with valid nonce get blocked if URL redirects
Component: Security → DOM: Security
Product: Firefox → Core
Christoph says Vino could take a look.
Assignee: nobody → cegvinoth
Blocks: csp-w3c-2
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P1
Whiteboard: [domsecurity-active]
Comment on attachment 8986335 [details]
Bug 1469150 - CSP: Scripts with valid nonce get blocked if URL redirects is fixed

For redirects, in AsyncOnChannelRedirect() requestContext parameter was nullptr previously. Hence element nonce was not fetched in nsCSPContext.cpp,
https://dxr.mozilla.org/mozilla-central/rev/75a32b57132f8cba42779555662a057a0416a313/dom/security/nsCSPContext.cpp#192

Now fixed this by passing the requestContext parameter from nsCSPService.
Attachment #8986335 - Flags: review?(ckerschb)
Comment on attachment 8986349 [details]
Bug 1469150 - Tests added to check scripts with valid nonce is allowed if URL redirects.

Test files added to check scripts with valid nonce is allowed if URL is redirected.
Attachment #8986349 - Flags: review?(ckerschb)
Comment on attachment 8986349 [details]
Bug 1469150 - Tests added to check scripts with valid nonce is allowed if URL redirects.

Christoph Kerschbaumer [:ckerschb] has approved the revision.

https://phabricator.services.mozilla.com/D1721
Attachment #8986349 - Flags: review+
Attachment #8986335 - Flags: review?(ckerschb)
Attachment #8986349 - Flags: review?(ckerschb)
Comment on attachment 8986335 [details]
Bug 1469150 - CSP: Scripts with valid nonce get blocked if URL redirects is fixed

I have made the requested changes. Please review the patch and let me know if changes are needed.
Attachment #8986335 - Flags: review?(ckerschb)
Comment on attachment 8986335 [details]
Bug 1469150 - CSP: Scripts with valid nonce get blocked if URL redirects is fixed

Christoph Kerschbaumer [:ckerschb] has approved the revision.

https://phabricator.services.mozilla.com/D1720
Attachment #8986335 - Flags: review+
Attachment #8986335 - Flags: review?(ckerschb)
Thank you for fixing so quickly.

What is the first major version which will have this fix? (Need this info to update Google's CSP gears).

Comment 12

Last year
Pushed by archaeopteryx@coole-files.de:
https://hg.mozilla.org/integration/mozilla-inbound/rev/4b1d446faee6
CSP: Scripts with valid nonce get blocked if URL redirects is fixed r=ckerschb
https://hg.mozilla.org/integration/mozilla-inbound/rev/ce98fd40ce82
Tests added to check scripts with valid nonce is allowed if URL redirects. r=ckerschb
Keywords: checkin-needed

Comment 13

Last year
bugherder
https://hg.mozilla.org/mozilla-central/rev/4b1d446faee6
https://hg.mozilla.org/mozilla-central/rev/ce98fd40ce82
Status: NEW → RESOLVED
Closed: Last year
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
(In reply to Michele Spagnuolo from comment #11)
> Thank you for fixing so quickly.
> 
> What is the first major version which will have this fix? (Need this info to
> update Google's CSP gears).

Firefox 62 is the major version targeted for this fix.
You need to log in before you can comment on or make changes to this bug.