Closed Bug 1486864 Opened 7 years ago Closed 7 years ago

WebExtension upload verifier doesn't verify CSPs

Categories

(addons.mozilla.org :: Security, defect)

Product:
addons.mozilla.org
Component:
Security
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: johnp, Unassigned)

Details

This WebExtension[1] contains the following content-security-policy: "script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline' 'unsafe-eval' ; connect-src *; object-src 'self' ", "connect-src *" seems to violate two requirements of WebExtension CSPs [3], specifically: * All sources must specify a host * Remote sources must use `https:` schemes Not marking this as security sensitive since it's already public. [2] [1] https://addons.mozilla.org/firefox/addon/adkiller-adblocker (at least since 15.6.2018 [2]; currently in version 1.9.41.47) [2] https://twitter.com/gorhill/status/1018484996212969472 [3] https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy
I also just realized that this is not only an AMO problem, but the documented restrictions (probably) shouldn't even allow installing such a WebExtension in Firefox (e.g. unsigned XPI).
In fact, this footnote (this should really be more prominent) in [3] even states: 1. Note: Valid examples display the correct use of keys in CSP. However, extensions with 'unsafe-eval', 'unsafe-inline', remote script, blob, or remote sources in their CSP are not allowed for extensions listed on addons.mozilla.org due to major security issues. It seems like this major security issue is not enforced on AMO at all.
Summary: WebExtension upload verifier allows connect-src: * → WebExtension upload verifier doesn't verify CSPs
Issues with the add-on linter should be filed here: https://github.com/mozilla/addons-linter/issues/new Other add-on code issues can be reported to amo-admins AT mozilla DOT org, or the #addon-reviewers channel on IRC.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID
(In reply to Johannes Pfrang [:johnp] from comment #0) > "connect-src *" seems to violate two requirements of WebExtension CSPs [3], > specifically: > > * All sources must specify a host > * Remote sources must use `https:` schemes This assessment is incorrect. The default value for connect-src is already a wildcard; connect-src controls whether an extension can initiate a request to that destination, and has nothing to do with script execution. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src The only relevant relaxing CSPs in the list is: > "script-src 'self' 'unsafe-eval'; where the use of 'unsafe-eval' allows extensions to evaluate code in an extension page. This is generally not allowed, but not stricyl forbidden - see https://github.com/mozilla/addons-linter/issues/1506
You need to log in before you can comment on or make changes to this bug.