CSP for internal pages should deny plugins (object-src 'none'privileged pages)
Categories
(Core :: DOM: Security, enhancement, P2)
Tracking
()
Tracking | Status | |
---|---|---|
firefox71 | --- | fixed |
People
(Reporter: freddy, Assigned: ckerschb)
References
Details
(Whiteboard: [domsecurity-active])
Attachments
(1 file)
Privileged pages are getting a CSP. That's great. But I think we want to amend the CSP to contain object-src 'none'. If we had a reflected XSS (or something similar, that doesn't allow scripts but does reflect content) in chrome://, we would be open to rosetta-flash style attacks (see <https://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/>).
Assignee | ||
Updated•6 years ago
|
Reporter | ||
Comment 1•5 years ago
|
||
Christoph, I noticed you're still adding new CSP's to about:
pages that are default-src chrome:
.
Do you think it would be worthwhile coming up with a slightly stricter CSP that avoids some pitfalls?
Happy to patch the existing here.
How about something like default-src 'none'; script-src chrome:; object-src 'none'; base-uri 'none'; img-src chrome:;
?
Assignee | ||
Comment 2•5 years ago
|
||
Right, I have that in mind actually. My idea was to get all of the dependencies landed for Bug 1492063 and then 'tighten' the CSP. Reason being many fold:
- all dependencies have been tested and already r+ - so let's get them landed to get basic coverage.
- fallouts, because landing default-src 'none' might break things.
- Once we have a CSP it's easy to tighten it.
Assignee | ||
Updated•5 years ago
|
Assignee | ||
Comment 3•5 years ago
|
||
Assignee | ||
Comment 4•5 years ago
|
||
Kate, I think you were working on adding CSP to about:newtab, right? If I remember correctly we host that code on github and I think once we land the code within this bug then about:newtab will hit the assertion because most likely it does not include "object-src 'none', right?
Pushed by mozilla@christophkerschbaumer.com: https://hg.mozilla.org/integration/autoland/rev/ae1e5187f0bf Add object-src 'none' to the CSP of all about: pages. r=freddyb
Comment 6•5 years ago
|
||
bugherder |
Assignee | ||
Comment 7•2 years ago
|
||
Clearing out my ni? queue with super old ni? requests which rendered unnecessary in the meantime.
Description
•