Closed Bug 1509738 Opened 6 years ago Closed 6 years ago

CSP: Snapshot nonce at load start time (and use that nonce during redirects)

Categories

(Core :: DOM: Security, enhancement, P2)

Product:
Core
Component:
DOM: Security
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla67
Tracking Flags:
Tracking Status
firefox67 --- fixed

People

(Reporter: ckerschb, Assigned: ckerschb)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-active])

Attachments

(2 files, 3 obsolete files)

Summary: Test nonce snapshot for CSP loades
47 bytes, text/x-phabricator-request
Details | Review
Summary: Bug 1509738: CSP snapshot nonce at load start time
47 bytes, text/x-phabricator-request
Details | Review
Currently our CSP implementation checks the nonce of a (style,script) at load start and then re-queries the nonce if the load gets redirected. We should snapshot the nonce at start load time, potentially store in the loadinfo and then use that nonce throughout the lifecycle of a load. Additionally we should write a web platform test.
Blocks: csp-w3c-3
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]
Once Bug 965637 is landed we should fix that bug.
Depends on: 965637
Copying over review statement for additional info from Bug 965637: That said, is the nonce really supposed to be examined at redirect time, not snapshotted at load start time? That is, if we start the load, then change the nonce, is the CSP check during redirects supposed to pick up the new nonce?? https://fetch.spec.whatwg.org/#concept-request-nonce-metadata makes me think the nonce is captured at request start time, so we should not need an element to do a nonce check. And in particular, we should be able to do this enforcement completely in the parent process. Please file a followup bug on this. I bet there is no test coverage for this. :(
Assignee: nobody → ckerschb
Status: NEW → ASSIGNED
Priority: P3 → P2
Whiteboard: [domsecurity-backlog1] → [domsecurity-active]
Attachment #9043244 - Attachment is obsolete: true
Attachment #9042948 - Attachment is obsolete: true

I stacked the revisions and lando shows both patches stacked for landing - when I hit 'preview landing' however it tells me:

You have insufficient permissions to land. Level 3 Commit Access is required

I do have Level 3 Commit access, but don't have time right now to trouble shoot - can someone land that for me in the meantime?

Thanks!

Keywords: checkin-needed

Pushed by apavel@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/44a945b21f87
CSP snapshot nonce at load start time r=baku

Keywords: checkin-needed
Pushed by apavel@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/5cbc3f79a126 Summary: Test nonce snapshot for CSP loades r=jkt

(In reply to Christoph Kerschbaumer [:ckerschb] from comment #7)

I do have Level 3 Commit access, but don't have time right now to trouble shoot - can someone land that for me in the meantime?
Any chance the API key in Lando belongs to your personal address but you are logged in with mozilla.com? There was another developer yesterday who had moved their hg permissions to the mozilla.com one and had to provide a new API key in Lando to be able to push. In Lando at the top right, open the menu and open the accounts settings on the left.

(In reply to Andreea Pavel [:apavel] from comment #11)

Backed out for failing /propagate-nonce-external-classic.htm

Push with failures: https://treeherder.mozilla.org/#/jobs?repo=autoland&resultStatus=testfailed%2Cbusted%2Cexception&classifiedState=unclassified&selectedJob=228048743&revision=44a945b21f87d60d4cf839ef69ce38b33fa168e3

Mhm, I can't reproduce locally and it seems to work on TRY now:
https://treeherder.mozilla.org/#/jobs?repo=try&revision=2ac265f9e8d9db1079a01ffcaa946941eeb553fa

Flags: needinfo?(ckerschb)

:aryx, :apavel, can we try to reland that? Please see green TRY push in comment 12. I don't know what the issue was, but it works locally on mac and linux and it seems try is happy as well now.

Flags: needinfo?(aryx.bugmail)
Flags: needinfo?(apavel)
Pushed by archaeopteryx@coole-files.de: https://hg.mozilla.org/integration/autoland/rev/53f624bc7c22 Test nonce snapshot for CSP loades. r=jkt https://hg.mozilla.org/integration/autoland/rev/fbf4b73c8786 CSP snapshot nonce at load start time. r=baku
Flags: needinfo?(aryx.bugmail)
Flags: needinfo?(apavel)

Hey Noemi, any idea what might be the problem here? This changeset got already backed out once (see comment 11). I couldn't reproduce the error locally. I then re-pushed to try and got a green try run (see bottom of comment 12). Now it got backed out again - beats me...

Any idea what I could try to figure the problem?

Flags: needinfo?(ckerschb) → needinfo?(nerli)

(In reply to Christoph Kerschbaumer [:ckerschb] from comment #16)

Any idea what I could try to figure the problem?

So, the problem was that Bug 1525006 landed in the meantime which added a new content policy type for modules which caused propagate-nonce-external-classic.html to fail. I was able to reproduce locally and fixed it locally. I rebased - pushing to try to make sure everything is fine now:

https://treeherder.mozilla.org/#/jobs?repo=try&revision=030463fec2bf0f43898fa845c1a39d0a31902bea

Depends on: 1525006
Flags: needinfo?(nerli)
Attachment #9043311 - Attachment is obsolete: true

Third time's a charm :-)

I rebased the patches and uploaded a new version, the two phabricator patches:

should land together - see also green try run from comment 17.

Can someone check that in for me please? Thanks!

Keywords: checkin-needed

Pushed by archaeopteryx@coole-files.de:
https://hg.mozilla.org/integration/autoland/rev/53354f120211
Test nonce snapshot for CSP loades. r=jkt
https://hg.mozilla.org/integration/autoland/rev/4c1eb1293bbf
CSP snapshot nonce at load start time. r=baku

Keywords: checkin-needed

https://hg.mozilla.org/mozilla-central/rev/53354f120211
https://hg.mozilla.org/mozilla-central/rev/4c1eb1293bbf

Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox67: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla67
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: