CSP: Scripts with valid nonce get blocked if URL redirects

RESOLVED FIXED in Firefox 62

Status

()

P1
major
RESOLVED FIXED
8 months ago
9 days ago

People

(Reporter: lwe, Assigned: vinoth, Mentored)

Tracking

(Blocks: 1 bug)

60 Branch
mozilla62
Points:
---

Firefox Tracking Flags

(firefox62 fixed)

Details

(Whiteboard: [domsecurity-active])

Attachments

(2 attachments)

(Reporter)

Description

8 months ago
Firefox's CSP implementation blocks dynamically created script tags (scripts created via document.createElement) with a valid nonce if the URL redirects.
Since the created script has a valid nonce it should execute (script gets executed in Chrome).
Because of this bug, sites setting a nonce-based CSP (without strict-dynamic) randomly break in Firefox if some of their scripts are behind redirects.

Code to reproduce in Firefox:
<!DOCTYPE html>
<html>
<head>
  <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abcd1234'">
</head>
<body>
  <script nonce='abcd1234'>
    var s = document.createElement('script');
    s.setAttribute('nonce', 'abcd1234');
    s.src = 'https://goo.gl/jEH8zk';  // 301 redirect.
    document.head.appendChild(s);     // Blocked by CSP in FF because of redirect.
  </script>
</body>
</html>


Preview
https://gist.github.com/lweichselbaum/9c8e32c592889ffc2f103fce9d45eaea

http://gist-preview.herokuapp.com/preview?gist_url=https%3A%2F%2Fgist.githubusercontent.com%2Flweichselbaum%2F9c8e32c592889ffc2f103fce9d45eaea%2Fraw%2F505ed8c472a805c70cd05059206dd5f91c9a06ce%2FFF_CSP_BUG.html
(Reporter)

Comment 1

8 months ago
Turns out that normally sourced scripts are affected as well:

<html>
<head>
  <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abcd1234'">
</head>
<body>
  <script nonce='abcd1234' src='https://goo.gl/jEH8zk'></script>  
</body>
</html>

The script gets blocked in Firefox.
This is actually a big problem for nonce-only CSPs.
Adding 'strict-dynamic' to the CSP makes it work again, which actually should only apply to dynamically created scripts.
(Reporter)

Comment 2

8 months ago
Turns out that normally sourced scripts are affected as well:

<html>
<head>
  <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abcd1234'">
</head>
<body>
  <script nonce='abcd1234' src='https://goo.gl/jEH8zk'></script>  
</body>
</html>

The script gets blocked in Firefox.
This is actually a big problem for nonce-only CSPs.
Adding 'strict-dynamic' to the CSP makes it work again, which actually should only apply to dynamically created scripts.
Summary: CSP: Dynamically created script with valid nonce gets blocked if URL redirects → CSP: Scripts with valid nonce get blocked if URL redirects
Component: Security → DOM: Security
Product: Firefox → Core
Christoph says Vino could take a look.
Assignee: nobody → cegvinoth
Blocks: 968586
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P1
Whiteboard: [domsecurity-active]
Created attachment 8986335 [details]
Bug 1469150 - CSP: Scripts with valid nonce get blocked if URL redirects is fixed
(Assignee)

Comment 5

8 months ago
Comment on attachment 8986335 [details]
Bug 1469150 - CSP: Scripts with valid nonce get blocked if URL redirects is fixed

For redirects, in AsyncOnChannelRedirect() requestContext parameter was nullptr previously. Hence element nonce was not fetched in nsCSPContext.cpp,
https://dxr.mozilla.org/mozilla-central/rev/75a32b57132f8cba42779555662a057a0416a313/dom/security/nsCSPContext.cpp#192

Now fixed this by passing the requestContext parameter from nsCSPService.
Attachment #8986335 - Flags: review?(ckerschb)
Created attachment 8986349 [details]
Bug 1469150 - Tests added to check scripts with valid nonce is allowed if URL redirects.
(Assignee)

Comment 7

8 months ago
Comment on attachment 8986349 [details]
Bug 1469150 - Tests added to check scripts with valid nonce is allowed if URL redirects.

Test files added to check scripts with valid nonce is allowed if URL is redirected.
Attachment #8986349 - Flags: review?(ckerschb)
Comment on attachment 8986349 [details]
Bug 1469150 - Tests added to check scripts with valid nonce is allowed if URL redirects.

Christoph Kerschbaumer [:ckerschb] has approved the revision.

https://phabricator.services.mozilla.com/D1721
Attachment #8986349 - Flags: review+
Attachment #8986335 - Flags: review?(ckerschb)
Attachment #8986349 - Flags: review?(ckerschb)
(Assignee)

Comment 9

8 months ago
Comment on attachment 8986335 [details]
Bug 1469150 - CSP: Scripts with valid nonce get blocked if URL redirects is fixed

I have made the requested changes. Please review the patch and let me know if changes are needed.
Attachment #8986335 - Flags: review?(ckerschb)
Comment on attachment 8986335 [details]
Bug 1469150 - CSP: Scripts with valid nonce get blocked if URL redirects is fixed

Christoph Kerschbaumer [:ckerschb] has approved the revision.

https://phabricator.services.mozilla.com/D1720
Attachment #8986335 - Flags: review+
Attachment #8986335 - Flags: review?(ckerschb)
(Assignee)

Updated

8 months ago
Keywords: checkin-needed

Comment 11

8 months ago
Thank you for fixing so quickly.

What is the first major version which will have this fix? (Need this info to update Google's CSP gears).

Comment 12

8 months ago
Pushed by archaeopteryx@coole-files.de:
https://hg.mozilla.org/integration/mozilla-inbound/rev/4b1d446faee6
CSP: Scripts with valid nonce get blocked if URL redirects is fixed r=ckerschb
https://hg.mozilla.org/integration/mozilla-inbound/rev/ce98fd40ce82
Tests added to check scripts with valid nonce is allowed if URL redirects. r=ckerschb
Keywords: checkin-needed

Comment 13

8 months ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/4b1d446faee6
https://hg.mozilla.org/mozilla-central/rev/ce98fd40ce82
Status: NEW → RESOLVED
Last Resolved: 8 months ago
status-firefox62: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
(Assignee)

Comment 14

8 months ago
(In reply to Michele Spagnuolo from comment #11)
> Thank you for fixing so quickly.
> 
> What is the first major version which will have this fix? (Need this info to
> update Google's CSP gears).

Firefox 62 is the major version targeted for this fix.
You need to log in before you can comment on or make changes to this bug.