Open Bug 1529880 Opened 6 years ago Updated 2 years ago

Invalid style-src CSP violation reported

Categories

(Core :: DOM: Security, defect, P5)

Product:
Core
Component:
DOM: Security
Version:
65 Branch
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: oliver.salzburg, Unassigned)

Details

(Keywords: testcase-wanted, Whiteboard: [domsecurity-backlog])

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36

Steps to reproduce:

I log into our web application. I'd prefer not to publish access to it on this tracker, but I'd be happy to arrange it for individuals.

Actual results:

When I visit our web application, Firefox reports a CSP violation:

Content Security Policy: The page’s settings blocked the loading of a resource at inline (“style-src”).

It reports this on line 1 of the document.

Expected results:

I don't see any cause for the report and Firefox is the only browser reporting it.

Line 1 of the document contains only 1 style node and that node is decorated with a nonce. The same nonce is used on other nodes, so I have no concern that it might not be correct.

I know this is hardly enough information to work with, but I'd really prefer not to post too many details about issues on our platform publicly. I hope something can be arranged to exchange the relevant information privately.

Component: Untriaged → DOM: Security
Product: Firefox → Core

Can you create an HTML file that exhibits the same behavior? you can use a <meta http-equiv> tag to supply the CSP (which I assume would only be the relevant style-src nonce bit) and then as much content as needed to show the problem.

I'd start with the entire page as-is ("Save As... complete) to make sure it even reproduces locally, then trim stuff away until it's anonymous enough while still showing the problem.

Flags: needinfo?(oliver.salzburg)
Keywords: testcase-wanted

(In reply to Daniel Veditz [:dveditz] from comment #2)

Can you create an HTML file that exhibits the same behavior? you can use a <meta http-equiv> tag to supply the CSP (which I assume would only be the relevant style-src nonce bit) and then as much content as needed to show the problem.

I'd start with the entire page as-is ("Save As... complete) to make sure it even reproduces locally, then trim stuff away until it's anonymous enough while still showing the problem.

Excellent suggestion. I was not aware of that option. I was able to reproduce the issue with the following code:

<!DOCTYPE html>
<html>
<head>
	<meta http-equiv="content-type" content="text/html; charset=UTF-8">
	<meta http-equiv="content-security-policy" content="default-src 'self' 'nonce-MDg4OGU1MWUtY2FjNi00ZjU2LWIzNzEtYjJiNzliOGUzYmYw'; style-src 'self' 'nonce-MDg4OGU1MWUtY2FjNi00ZjU2LWIzNzEtYjJiNzliOGUzYmYw';">
</head>

<body>
	<div class="" style=""></div>
</body>

</html>

It seems like the style="" is causing the violation.

Flags: needinfo?(oliver.salzburg)

Hm, ambiguous. We see this as an in-line attempt to set style (which happens to be empty), whereas Chrome must be seeing an empty string as equivalent to no attribute and not triggering the violation.

I suppose we should check what Chrome does with a couple of other "nothing" cases. If the string isn't completely empty (a bunch of spaces) does Chrome issue an error? What if it's not completely empty but is otherwise a nop, like just a comment?

I'm not sure this will raise to a priority level where we'll fix it, but maybe we should clarify the spec.

Priority: -- → P5
Whiteboard: [domsecurity-backlog]

What I found most confusing about this issue is that the style attribute is apparently added by third-party JS and the node it is being added to is not on line 1 in the original HTML source as it appears in the browser.

It caused me a lot of confusion, but I understand if this is too much of an edge case.

Thanks for the explanation!

Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.