1490165 - Web Workers setTimeout / setInterval CSP bypass

Status: RESOLVED FIXED

(Core :: DOM: Security, defect, P3)

Description

[FLR]

Attachment: Worker_setTimeout_CSP_bypass.png

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
Build ID: 20180830143136

Steps to reproduce:

When a Web worker javascript file (either a Worker, SharedWorker or ServiceWorker) is loaded with its own Content-Security-Policy set to default-src 'self', the CSP could be bypassed by either calling the setTimeout or the setInterval function.


Actual results:

Loading a Web worker from a server reponse with a Content-Security-Policy set to default-src 'self' and the following instruction (see the screenshot in Worker_setTimeout_CSP_bypass.png)
  setTimeout("console.log('[FAIL] - CSP bypass setTimeout')")
will display an entry in the console log which indicates that an "eval" as occurred even if the 'unsafe-eval' instruction is not set in the Content-Security-Policy.


Expected results:

The CSP should have blocked the execution of the setTimeout instruction as "eval" or "new Function()" instructions.

Comment 1

[FLR]

Note that the setTimeout / setInterval CSP bypass also works for a Blob URL with an inherited Content-Security-Policy default-src 'self' blob:

Comment 2

[Daniel Veditz [:dveditz]]

These are known failures in the Web Platform Tests for this feature:
https://searchfox.org/mozilla-central/source/testing/web-platform/meta/content-security-policy/inside-worker/dedicated-script.html.ini

Comment 4

[Daniel Veditz [:dveditz]]

un-hid bug because the Web Platform Test results are public:
https://wpt.fyi/results/content-security-policy/inside-worker?complete=true

Comment 5

[Andrea Marchesini [:baku]]

Attachment: part 1 - SetTimeout/SetInternval in workers

Comment 6

[Andrea Marchesini [:baku]]

Attachment: part 2 - eval

Comment 7

[Andrea Marchesini [:baku]]

These 2 patches do not cover importScripts() yet.

Comment 8

[Andrea Marchesini [:baku]]

Attachment: part 3 - fix CSP in blob

Comment 9

[Christoph Kerschbaumer [:ckerschb]]

Comment on attachment 9008777 [details] [diff] [review]
part 1 - SetTimeout/SetInternval in workers

Review of attachment 9008777 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks Baku, that looks great!

::: dom/security/CSPEvalChecker.cpp
@@ +27,5 @@
> +              bool* aAllowed)
> +{
> +  MOZ_ASSERT(NS_IsMainThread());
> +  MOZ_ASSERT(aAllowed);
> +

Can you please do
*aAllowed = false;
at the function entry point here to make sure in case someone extends the code the return val is always set - thanks.

@@ +102,5 @@
> +{
> +  MOZ_ASSERT(NS_IsMainThread());
> +  MOZ_ASSERT(aWindow);
> +  MOZ_ASSERT(aAllowEval);
> +

same here, please init
aAllowEval = false;

Comment 10

[Pulsebot]

Pushed by amarchesini@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/ebcf49549e65
Workers.setTimeout/setInterval must handle CSP rejections, r=ckerschb
https://hg.mozilla.org/integration/mozilla-inbound/rev/28025c893d78
CSP blocking function() must return an EvalError, r=ckerschb
https://hg.mozilla.org/integration/mozilla-inbound/rev/cc8df9e94e81
WorkerPrivate must set the CSPEventListener at any CSP internal object, r=ckerschb
https://hg.mozilla.org/integration/mozilla-inbound/rev/f628cd83dd09
Mark a WPT as error expected - the test is wrong and it will be fixed in a follow up, r=me

Comment 11

[Bogdan Tara[:bogdan_tara | bogdant]]

https://hg.mozilla.org/mozilla-central/rev/ebcf49549e65
https://hg.mozilla.org/mozilla-central/rev/28025c893d78
https://hg.mozilla.org/mozilla-central/rev/cc8df9e94e81
https://hg.mozilla.org/mozilla-central/rev/f628cd83dd09

Comment 12

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

Please request uplift here.

Comment 13

[Chris Mills [:cmills]]

Might need a mention in the docs somewhere.

Comment 14

[Chris Mills [:cmills]]

I'm not so convinced any more; more of a bug fix than a feature.