Closed
Bug 1597645
(CVE-2019-17020)
Opened 5 years ago
Closed 5 years ago
Content-Security-Policy inline script execution is bypassed on XSL pages
Categories
(Core :: DOM: Security, defect, P2)
Core
DOM: Security
Tracking
()
RESOLVED
FIXED
mozilla72
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | --- | unaffected |
| firefox71 | --- | wontfix |
| firefox72 | --- | fixed |
People
(Reporter: matthew-bugzilla, Assigned: sstreich)
References
(Regression, )
Details
(Keywords: regression, reporter-external, sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [verif?][domsecurity-active][adv-main72+][post-critsmash-triage])
Attachments
(2 files)
I discovered this issue while implementing an XSL stylesheet on an RSS feed.
Firefox (I am running version 70.0.1 on Windows 10) does not honour the Content-Security-Policy header on inline JavaScript given in an XSL template included by an XML file.
I have made some test cases which I hope are helpful:
- https://traintimes.org.uk/firefox-csp/ shows the main issue I found - it is an XML file sent with a CSP header saying no inline JavaScript, but includes an XSL stylesheet containing a template with inline JavaScript that does run in Firefox (both the inline script and the inline event handler);
- https://traintimes.org.uk/firefox-csp/html.php is the same HTML, as the XSL template but served as HTML, and here you can see the inline JavaScript does not run in Firefox.
In Chrome, you get the error: "Refused to execute inline script because it violates the following Content Security Policy directive" on both HTML and XML versions.
Flags: sec-bounty?
|
||
Updated•5 years ago
|
Group: firefox-core-security → dom-core-security
Component: Security → DOM: Security
Product: Firefox → Core
|
||
Updated•5 years ago
|
Keywords: sec-moderate
|
Assignee | |
Comment 2•5 years ago
|
||
|
|
Assignee | |
Updated•5 years ago
|
Assignee: nobody → sstreich
Flags: needinfo?(sstreich)
|
|
Assignee | |
Updated•5 years ago
|
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Priority: -- → P2
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][dom-security-active]
|
|
Assignee | |
Updated•5 years ago
|
Whiteboard: [reporter-external] [client-bounty-form] [verif?][dom-security-active] → [reporter-external] [client-bounty-form] [verif?][domsecurity-active]
|
||
Comment 3•5 years ago
|
||
|
|
||
Comment 4•5 years ago
|
||
Group: dom-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox72:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla72
|
||
Comment 5•5 years ago
|
||
Is this something we should consider backporting to ESR68 as well or is riding with Fx72 sufficient?
status-firefox71:
--- → wontfix
status-firefox-esr68:
--- → affected
tracking-firefox-esr68:
--- → ?
Flags: needinfo?(sstreich)
|
|
||
Updated•5 years ago
|
Flags: in-testsuite+
|
|
Assignee | |
Comment 6•5 years ago
|
||
I just checked this on ESR68 - can confirm it is not affected.
My guess is, this got introduced with Bug 965637 which landed on 69
Flags: needinfo?(sstreich)
|
|
||
Updated•5 years ago
|
tracking-firefox-esr68:
? → ---
|
|
||
Updated•5 years ago
|
|
||
Updated•5 years ago
|
Type: task → defect
|
||
Updated•5 years ago
|
Whiteboard: [reporter-external] [client-bounty-form] [verif?][domsecurity-active] → [reporter-external] [client-bounty-form] [verif?][domsecurity-active][adv-main72+]
|
|
||
Comment 7•5 years ago
|
||
|
||
Updated•5 years ago
|
Flags: qe-verify-
Whiteboard: [reporter-external] [client-bounty-form] [verif?][domsecurity-active][adv-main72+] → [reporter-external] [client-bounty-form] [verif?][domsecurity-active][adv-main72+][post-critsmash-triage]
|
|
||
Updated•5 years ago
|
Alias: CVE-2019-17020
|
|
||
Updated•5 years ago
|
Group: core-security-release
|
|
||
Updated•3 years ago
|
Has Regression Range: --- → yes
|
||
Updated•8 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•