Open Bug 1524519 Opened 6 years ago Updated 2 years ago

CSP script nonce not working on test page

Categories

(Core :: DOM: Security, defect, P3)

64 Branch
defect

Tracking

()

People

(Reporter: 1009465756, Unassigned)

Details

(Whiteboard: [domsecurity-backlog2])

Attachments

(1 file)

Attached image Message in Dev Tool.png

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36

Steps to reproduce:

Open the link 'https://wx.mail.qq.com/' on which CSP header is setted with 'nonce' feature enabled.

Actual results:

  1. Open the dev tool and check the console.
  2. It could be found that the 'script-src' blocked the inline script on line 14. The code is listed as follows:

var flag = true

// ie8有这个Object.defineProperty函数方法,但参数仅支持dom对象
var o = {}
try {
var curObject = Object.defineProperty(o, 'abc', {value: 123})
var originObject = {
abc: 123
}
if (curObject.abc !== originObject.abc) {
flag = false
}
} catch(e) { // The 'script-src' directive block the inline script at here.
flag = false
}

  1. There aren't any alerts for the same web page in Chrome. It is inferred that the beheavior of CSP header described above is total unexpected in Firefox.
Summary: Unexpected beheavior of CSP header in Firefox → Unexpected behavior of CSP header in Firefox
Component: Untriaged → DOM: Security
Product: Firefox → Core

The CSP from that page:

Content-Security-Policy: default-src 'self' https://*.qq.com https://*.qqmail.com; script-src 'self' https://*.oa.com https://hm.baidu.com http://hm.baidu.com *.google-analytics.com http://mat1.gtimg.com https://mat1.gtimg.com http://*.soso.com https://*.soso.com http://*.qq.com https://*.qq.com http://*.qqmail.com https://*.qqmail.com http://pub.idqqimg.com 'nonce-14540bb353ac024b89bb712b2e42cb28' 'unsafe-eval'; style-src 'self' https://*.qq.com https://*.oa.com https://rescdn.qqmail.com 'unsafe-inline'; img-src * 'self' data: http: https:; media-src 'self' https://*.qq.com; font-src 'self' https://*.oa.com https://*.qq.com data: http: https:; child-src 'self' https://*.qq.com blob:; connect-src 'self' wss://wx.mail.qq.com https://*.qq.com; frame-src 'self' https://*.qq.com; worker-src 'self' https://*.qq.com blob: 'self'; manifest-src 'self' https://*.qq.com; base-uri 'self'; object-src 'none'; report-uri https://aq.qq.com/cn2/manage/mbtoken/hijack_csp_report

Note the nonce (_N_umber used ONCE) seems to be static, which means any potential XSS can trivially exploit this by inserting the known constant nonce. Nonces need to be unique every time the page is loaded. For static script use hashes instead.

Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P3
Summary: Unexpected behavior of CSP header in Firefox → CSP script nonce not working on test page
Whiteboard: [domsecurity-backlog2]

Thank you, Daniel. Currently, the nonce value is binded with the session. The value remains unchanged if there is no session (if the user isn't logged in). As you mentioned, this is not a good practice, we will fix it by using the hashes.

Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: