Closed Bug 1498060 Opened 3 years ago Closed 3 years ago

Saving to pocket triggers fatal assertion: about: page must contain a CSP including default-src

Categories

(Core :: DOM: Security, defect, P2)

defect

Tracking

()

RESOLVED FIXED
mozilla65
Tracking Status
firefox65 --- fixed

People

(Reporter: bholley, Assigned: thecount)

References

Details

(Whiteboard: [domsecurity-active])

Attachments

(1 file)

STR:
(1) Load a build with debug assertions enabled
(2) Navigate to an article
(3) Click the pocket icon in the menu bar

Assertion failure: parsedPolicyStr.Find("default-src") >= 0 (about: page must contain a CSP including default-src), at /files/mozilla/mc/q/dom/base/nsDocument.cpp:5368
I'll look into that right away actually!
Assignee: nobody → ckerschb
Blocks: 1492063
Status: NEW → ASSIGNED
Priority: -- → P2
Whiteboard: [domsecurity-active]
The about page in question is:

> about:pocket-signup?pockethost=getpocket.com&fxasignedin=0&variant=storyboard_lm&controlvariant=true&inoverflowmenu=false&locale=en-us&panelid=3

which gets generated here:
https://searchfox.org/mozilla-central/source/browser/components/pocket/content/main.js#186

We have two options:
(a) we can somehow add a CSP to about:pocket-signup,
(b) we can whitelist about:pocket-signup in all.js (which is what we do for some other special about pages) to not trigger the assertion.

If we can we should try to do (a); I would imagine we would add the meta CSP somewhere within this file:
https://searchfox.org/mozilla-central/source/browser/components/pocket/content/panels/tmpl/signupstoryboard_shell.handlebars

Please note, that any meta CSP added outside the <head> tags will be ignored by our HTML parser. So I guess, the question is, if we can add those tags and if that is really what we should try to do here.

Jared, Justin, blame tells me did a lot of work on pocket/content/main.js. What do you think is the best option?
Flags: needinfo?(jaws)
Flags: needinfo?(dolske)
I believe Scott will be helping out from the Pocket side so redirecting to him.
Flags: needinfo?(jaws) → needinfo?(sdowne)
Yeah I can help out where needed, not quite sure what's needed of me yet though :)
Flags: needinfo?(sdowne)
Hey Scott,

please take a look at comment 3 for more information. In summary, we would like to add a strong CSP to all about: pages. It seems that various about: URIs within pocket [1] like e.g. about:pocket-signup, about:pocket, ... do not load with a meta CSP applied.

Question is, how do we add CSPs to those pages?
E.g. can we just make changes to e.g. [2] or does it take more than that?


Ideally we would like to add a meta CSP which would look something like the following (having a default-src defined and not allowing unsafe-inline to avoid script injection attacks):
> <head>
> <meta http-equiv="Content-Security-Policy" content="default-src chrome:" />
> </head>

[1] https://searchfox.org/mozilla-central/source/browser/components/pocket/content/main.js#
[2] https://searchfox.org/mozilla-central/source/browser/components/pocket/content/panels/tmpl/signupstoryboard_shell.handlebars
Flags: needinfo?(sdowne)
I tested the above attachment with success. I don't see a reason to not do it?

I'm curious when you need this on release by, example, can it ride the fx 65 train?
Flags: needinfo?(sdowne)
(In reply to Scott [:thecount] Downe from comment #7)
> I tested the above attachment with success. I don't see a reason to not do
> it?

Great, thanks! I assigned the bug to you :-)

> I'm curious when you need this on release by, example, can it ride the fx 65
> train?

Yeah, if that works, it can just ride the trains. I just r+ it in phabricator!

Thank you!
Assignee: ckerschb → sdowne
Keywords: checkin-needed
Pushed by ccoroiu@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/fa9318d1cd17
fixes bug 1498060 - Saving to pocket triggers fatal assertion: about: page must contain a CSP including default-src r=ckerschb
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/fa9318d1cd17
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
Flags: qe-verify-
Flags: needinfo?(dolske)
You need to log in before you can comment on or make changes to this bug.