Closed Bug 1517301 Opened 5 years ago Closed 5 years ago

A CSP error shouldn't be triggered for form-action if the submission has been canceled by JS

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla66
Tracking Flags:
Tracking Status
firefox66 --- fixed

People

(Reporter: julienw, Assigned: jkt)

Details

Attachments

(2 files)

testcase-csp-form.html
421 bytes, text/html
Details
Bug 1517301 - Move CSP check for form-action to be within HTMLFormSubmission to prevent checking before the form should be submitted. r?ckerschb
47 bytes, text/x-phabricator-request
Details | Review
Attached file testcase-csp-form.html 
STR:
1. Load the attached file.
2. Press the button.

=> Notice there's an error in the console despite the fact that `preventDefault` is called in the JS handler for the "submit" event.
Note that this doesn't happen in Chrome.
(Note: Bugzilla adds its own CSP header, so the results are a bit different when loaded from bugzilla's domain, but the error is still displayed)

We may be checking this twice (when nsHTMLFormElement::GetActionURL is called) in which case this is just an annoying extra error. But it's possible we're checking too early which might give the JS event a chance to change the form-action from a valid destination to a CSP-bypassing one.

jkt to test to make sure there's no CSP bypass. If not this could be P3, if there is we should mark this as a security bug and make it a P2.

Flags: needinfo?(jkt)

I wasn't able to make a CSP bypass whilst the event handler fires so it seems that we are double checking the URL when perhaps we shouldn't need to be. Maybe I should add a check for this to my patch though.

Assignee: nobody → jkt
Flags: needinfo?(jkt)
Pushed by jkingston@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/45bb6ff923e9
Move CSP check for form-action to be within HTMLFormSubmission to prevent checking before the form should be submitted. r=ckerschb,smaug
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/14779 for changes under testing/web-platform/tests

https://hg.mozilla.org/mozilla-central/rev/45bb6ff923e9

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox66: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla66
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: