A CSP error shouldn't be triggered for form-action if the submission has been canceled by JS

RESOLVED FIXED in Firefox 66

Status

()

defect
RESOLVED FIXED
7 months ago
6 months ago

People

(Reporter: julienw, Assigned: jkt)

Tracking

Trunk
mozilla66
Points:
---

Firefox Tracking Flags

(firefox66 fixed)

Details

Attachments

(2 attachments)

STR:
1. Load the attached file.
2. Press the button.

=> Notice there's an error in the console despite the fact that `preventDefault` is called in the JS handler for the "submit" event.
Note that this doesn't happen in Chrome.
(Note: Bugzilla adds its own CSP header, so the results are a bit different when loaded from bugzilla's domain, but the error is still displayed)

We may be checking this twice (when nsHTMLFormElement::GetActionURL is called) in which case this is just an annoying extra error. But it's possible we're checking too early which might give the JS event a chance to change the form-action from a valid destination to a CSP-bypassing one.

jkt to test to make sure there's no CSP bypass. If not this could be P3, if there is we should mark this as a security bug and make it a P2.

Flags: needinfo?(jkt)

I wasn't able to make a CSP bypass whilst the event handler fires so it seems that we are double checking the URL when perhaps we shouldn't need to be. Maybe I should add a check for this to my patch though.

Assignee: nobody → jkt
Flags: needinfo?(jkt)
Pushed by jkingston@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/45bb6ff923e9
Move CSP check for form-action to be within HTMLFormSubmission to prevent checking before the form should be submitted. r=ckerschb,smaug
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/14779 for changes under testing/web-platform/tests
Status: NEW → RESOLVED
Closed: 6 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla66
You need to log in before you can comment on or make changes to this bug.