Invalid style-src CSP violation reported
Categories
(Core :: DOM: Security, defect, P5)
Tracking
()
People
(Reporter: oliver.salzburg, Unassigned)
Details
(Keywords: testcase-wanted, Whiteboard: [domsecurity-backlog])
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36
Steps to reproduce:
I log into our web application. I'd prefer not to publish access to it on this tracker, but I'd be happy to arrange it for individuals.
Actual results:
When I visit our web application, Firefox reports a CSP violation:
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“style-src”).
It reports this on line 1 of the document.
Expected results:
I don't see any cause for the report and Firefox is the only browser reporting it.
Line 1 of the document contains only 1 style node and that node is decorated with a nonce. The same nonce is used on other nodes, so I have no concern that it might not be correct.
Reporter | ||
Comment 1•6 years ago
|
||
I know this is hardly enough information to work with, but I'd really prefer not to post too many details about issues on our platform publicly. I hope something can be arranged to exchange the relevant information privately.
Updated•6 years ago
|
Comment 2•6 years ago
|
||
Can you create an HTML file that exhibits the same behavior? you can use a <meta http-equiv> tag to supply the CSP (which I assume would only be the relevant style-src nonce bit) and then as much content as needed to show the problem.
I'd start with the entire page as-is ("Save As... complete) to make sure it even reproduces locally, then trim stuff away until it's anonymous enough while still showing the problem.
Reporter | ||
Comment 3•6 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #2)
Can you create an HTML file that exhibits the same behavior? you can use a <meta http-equiv> tag to supply the CSP (which I assume would only be the relevant style-src nonce bit) and then as much content as needed to show the problem.
I'd start with the entire page as-is ("Save As... complete) to make sure it even reproduces locally, then trim stuff away until it's anonymous enough while still showing the problem.
Excellent suggestion. I was not aware of that option. I was able to reproduce the issue with the following code:
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta http-equiv="content-security-policy" content="default-src 'self' 'nonce-MDg4OGU1MWUtY2FjNi00ZjU2LWIzNzEtYjJiNzliOGUzYmYw'; style-src 'self' 'nonce-MDg4OGU1MWUtY2FjNi00ZjU2LWIzNzEtYjJiNzliOGUzYmYw';">
</head>
<body>
<div class="" style=""></div>
</body>
</html>
It seems like the style=""
is causing the violation.
Comment 4•6 years ago
|
||
Hm, ambiguous. We see this as an in-line attempt to set style (which happens to be empty), whereas Chrome must be seeing an empty string as equivalent to no attribute and not triggering the violation.
I suppose we should check what Chrome does with a couple of other "nothing" cases. If the string isn't completely empty (a bunch of spaces) does Chrome issue an error? What if it's not completely empty but is otherwise a nop, like just a comment?
I'm not sure this will raise to a priority level where we'll fix it, but maybe we should clarify the spec.
Reporter | ||
Comment 5•6 years ago
|
||
What I found most confusing about this issue is that the style
attribute is apparently added by third-party JS and the node it is being added to is not on line 1 in the original HTML source as it appears in the browser.
It caused me a lot of confusion, but I understand if this is too much of an edge case.
Thanks for the explanation!
Updated•2 years ago
|
Description
•