1497206 - Apply Meta CSP to about:searchreset

Status: RESOLVED DUPLICATE of bug 1521725

(Core :: DOM: Security, enhancement, P3)

Comment 1

[Christoph Kerschbaumer [:ckerschb]]

Attachment: bug_1497206_csp_about_searchreset.patch

Comment 2

[:Gijs (he/him)]

Comment on attachment 9016597 [details] [diff] [review]
bug_1497206_csp_about_searchreset.patch

Review of attachment 9016597 [details] [diff] [review]:
-----------------------------------------------------------------

Looks OK to me, but we should check with Florian if it's not possible for the search engine's iconURI to be anything other than a data: URI (like maybe a chrome: or blob: or file: or jar:file: URI).

Comment 3

[Florian Quèze [:florian]]

Comment on attachment 9016597 [details] [diff] [review]
bug_1497206_csp_about_searchreset.patch

(In reply to :Gijs (he/him) from comment #2)
> Comment on attachment 9016597 [details] [diff] [review]
> bug_1497206_csp_about_searchreset.patch
> 
> Review of attachment 9016597 [details] [diff] [review]:
> -----------------------------------------------------------------
> 
> Looks OK to me, but we should check with Florian if it's not possible for
> the search engine's iconURI to be anything other than a data: URI (like
> maybe a chrome: or blob: or file: or jar:file: URI).

It looks like bug 1275366 made it possible to use chrome: or resource: urls, but I'm not sure we ever used this new capability. Maybe mkaply knows.

Comment 4

[Mike Kaply [:mkaply]]

Yes, we have search engines that use resource URIs and we support chrome URIs as well.

Can someone explain what this patch is?

Comment 5

[Christoph Kerschbaumer [:ckerschb]]

(In reply to Mike Kaply [:mkaply] from comment #4)
> Yes, we have search engines that use resource URIs and we support chrome
> URIs as well.

How do I have to update the patch so we can remove the data: scheme from the CSP.

> Can someone explain what this patch is?

Ultimately we would like to apply a Content Security Policy (CSP) all about: pages within Firefox with the intent to add another layer of Security making sure there are no script injection attacks, becuase CSP would block all inline script and all other script not loaded from a chrome: URI.

Comment 6

[:Gijs (he/him)]

(In reply to Christoph Kerschbaumer [:ckerschb] from comment #5)
> (In reply to Mike Kaply [:mkaply] from comment #4)
> > Yes, we have search engines that use resource URIs and we support chrome
> > URIs as well.
> 
> How do I have to update the patch so we can remove the data: scheme from the
> CSP.

I think we'll also need to keep the data: scheme. But I think you should add chrome: and resource: to the img-src directive. With that, I think we're good to go here. We can always tighten things up later.

Comment 7

[Christoph Kerschbaumer [:ckerschb]]

Attachment: bug_1497206_csp_about_searchreset.patch

(In reply to :Gijs (he/him) from comment #6)
> I think we'll also need to keep the data: scheme. But I think you should add
> chrome: and resource: to the img-src directive. With that, I think we're
> good to go here. We can always tighten things up later.

Yeah that makes sense to me.

Carrying over r+ from Gijs!

Comment 8

[BugBot [:suhaib / :marco/ :calixte]]

There's a r+ patch which didn't land and no activity in this bug for 2 weeks.
:ckerschb, could you have a look please?

Comment 9

[Christoph Kerschbaumer [:ckerschb]]

Before we can apply CSP to system privileged about pages we have to fix Bug 965637, in which we move the CSP from the Principal into the Client. Please note that the Meta Bug 1492063 for applying CSP to system privileged about: pages is blocked by 965637. At the moment we are fixing the last remaining blockers and as soon as we have landed Bug 965637 I'll try to land all the dependencies of Bug 1492063 so we end up having all about: pages secured by a CSP.

Comment 10

[Christoph Kerschbaumer [:ckerschb]]

I am rebasing all of the CSP patches for about: pages, it seems this one got fixed by Bug 1521725.