Closed Bug 1519406 Opened 6 years ago Closed 3 years ago

Mixed content blocker is getting a nullprincipal in an opaque document case

Categories

(Core :: DOM: Security, enhancement, P3)

65 Branch
enhancement

Tracking

()

RESOLVED FIXED
92 Branch
Tracking Status
firefox-esr78 --- wontfix
firefox-esr91 --- wontfix
firefox90 --- wontfix
firefox91 --- wontfix
firefox92 --- fixed

People

(Reporter: jkt, Assigned: n.goeggi)

References

(Blocks 2 open bugs)

Details

(Keywords: sec-audit, Whiteboard: [domsecurity-backlog1][post-critsmash-triage][adv-main92-])

In Bug 1514396 I noticed that we can't assert that nullprincipal URI isn't ever set for the requestingLocation so a narrower assert was added.

The failing test I found was in testing/web-platform/tests/content-security-policy/inheritance/iframe-all-local-schemes-inherit-self.sub.html when a sandboxed frame / data URI loads an image. The image NodePrincipal is a nullprincipal.

nsMixedContentBlocker::ShouldLoad then sets requestingLocation to be the principal URI which seems an incorrect check rather than using the parent document to check for CSP etc.

I would like to investigate that this is either not a problem or that we should be passing the correct NodePrincipal into the image to be used in mixed content blocking cases. I'm setting this as security sensitive as it's a little concerning that we are bypassing security checks.

Component: DOM → DOM: Security
Group: core-security → dom-core-security

I'm going to reprioritise this, even though I am concerned this might be a MCB escape still this is a larger project than expected.

I haven't written a test case but it appears we aren't adhering to the standard. For strict blocking of mixed content we don't appear to be checking the framing element and also the top level document if strict blocking is enabled. The standard also calls for the global settings object of a document to be initialised with the same strict blocking value as it's parent. This wording is irrelevant but it doesn’t appear we behave this way.

Using principals to decide the requestingLocation appears to be broken in that we now use null principals for data: uri loads. This has the impact of making the algorithm return early and permit the load, rather than checking the frame and the top level document.

Priority: P2 → P3
Whiteboard: [domsecurity-active] → [domsecurity-backlog1]
Keywords: sec-audit
Depends on: CVE-2021-38491

Tracking the precursor URI (work within Bug 1715167) will allow us to fix that, after we have the precuros URI on a NullPrincipal, then we can fix this problem within 1551886. I am not marking it as a duplicate, but I think it is one actually.

Assignee: jonathan → ngogge
No longer depends on: MixedContentBlocker

Like Christoph suggested, this was fixed in Bug 1551886.

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Group: dom-core-security → core-security-release
Target Milestone: --- → 92 Branch
Flags: qe-verify-
Whiteboard: [domsecurity-backlog1] → [domsecurity-backlog1][post-critsmash-triage]
Whiteboard: [domsecurity-backlog1][post-critsmash-triage] → [domsecurity-backlog1][post-critsmash-triage][adv-main92-]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.