Mixed content blocker is getting a nullprincipal in an opaque document case
Categories
(Core :: DOM: Security, enhancement, P3)
Tracking
()
People
(Reporter: jkt, Assigned: n.goeggi)
References
(Blocks 2 open bugs)
Details
(Keywords: sec-audit, Whiteboard: [domsecurity-backlog1][post-critsmash-triage][adv-main92-])
In Bug 1514396 I noticed that we can't assert that nullprincipal URI isn't ever set for the requestingLocation so a narrower assert was added.
The failing test I found was in testing/web-platform/tests/content-security-policy/inheritance/iframe-all-local-schemes-inherit-self.sub.html when a sandboxed frame / data URI loads an image. The image NodePrincipal is a nullprincipal.
nsMixedContentBlocker::ShouldLoad then sets requestingLocation to be the principal URI which seems an incorrect check rather than using the parent document to check for CSP etc.
I would like to investigate that this is either not a problem or that we should be passing the correct NodePrincipal into the image to be used in mixed content blocking cases. I'm setting this as security sensitive as it's a little concerning that we are bypassing security checks.
Reporter | ||
Updated•6 years ago
|
Updated•6 years ago
|
Reporter | ||
Comment 1•6 years ago
|
||
I'm going to reprioritise this, even though I am concerned this might be a MCB escape still this is a larger project than expected.
I haven't written a test case but it appears we aren't adhering to the standard. For strict blocking of mixed content we don't appear to be checking the framing element and also the top level document if strict blocking is enabled. The standard also calls for the global settings object of a document to be initialised with the same strict blocking value as it's parent. This wording is irrelevant but it doesn’t appear we behave this way.
Using principals to decide the requestingLocation
appears to be broken in that we now use null principals for data: uri loads. This has the impact of making the algorithm return early and permit the load, rather than checking the frame and the top level document.
Reporter | ||
Updated•6 years ago
|
Reporter | ||
Updated•5 years ago
|
Comment 2•3 years ago
|
||
Tracking the precursor URI (work within Bug 1715167) will allow us to fix that, after we have the precuros URI on a NullPrincipal, then we can fix this problem within 1551886. I am not marking it as a duplicate, but I think it is one actually.
Like Christoph suggested, this was fixed in Bug 1551886.
Updated•3 years ago
|
Updated•3 years ago
|
Updated•3 years ago
|
Updated•2 years ago
|
Description
•