Open Bug 1636570 Opened 4 years ago Updated 3 years ago

Investigate CSP violations

Categories

(Tree Management :: Treeherder: Infrastructure, defect)

Product:
Tree Management
Component:
Treeherder: Infrastructure
Type:
defect

Tracking

(Not tracked)

People

(Reporter: armenzg, Unassigned)

Details

Attachments

(2 files)

data: shortcut icon
86.79 KB, image/png
Details
Events in the last month
42.85 KB, image/png
Details

I see a lot of them:

May 08 18:40:45 treeherder-prod app/web.1 [2020-05-08 18:40:45,431] WARNING [treeherder.webapp.api.csp_report:31] CSP violation: {'blocked-uri': 'data', 'document-uri': 'https://treeherder.mozilla.org/', 'original-policy': "default-src 'none'; script-src 'self' 'unsafe-eval' 'report-sample'; style-src 'self' 'unsafe-inline' 'report-sample' https://fonts.googleapis.com https://stackpath.bootstrapcdn.com/bootstrap/4.4.1/css/bootstrap.min.css; font-src 'self' https://fonts.gstatic.com; img-src 'self' data:; connect-src 'self' https://community-tc.services.mozilla.com https://firefox-ci-tc.services.mozilla.com https://.taskcluster-artifacts.net https://taskcluster-artifacts.net https://treestatus.mozilla-releng.net https://bugzilla.mozilla.org https://auth.mozilla.auth0.com https://stage.taskcluster.nonprod.cloudops.mozgcp.net/ https://artifacts.tcstage.mozaws.net/ https://.artifacts.tcstage.mozaws.net/ https://insights-api.newrelic.com; frame-src 'self' https://auth.mozilla.auth0.com; report-uri https://treeherder.mozilla.org/api/csp-report/", 'referrer': '', 'violated-directive': 'font-src'}

Hi Sarah,
From the output how can you determine what needs to be whitelisted?

Flags: needinfo?(sclements)

Formatted this so it's a little easier to read:

{
	"blocked-uri":"data",
	"document-uri":"https://treeherder.mozilla.org/",
	"original-policy":"default-src 'none'; script-src 'self' 'unsafe-eval' 'report-sample'; 
        style-src 'self' 'unsafe-inline' 'report-sample' https://fonts.googleapis.com https://stackpath.bootstrapcdn.com/bootstrap/4.4./css/bootstrap.min.css; 
       font-src 'self' https://fonts.gstatic.com; 
       img-src 'self' data:;
      connect-src 'self' https://community-tc.services.mozilla.com https://firefox-ci-tc.services.mozilla.com https://.taskcluster-artifacts.net https://taskcluster-artifacts.net https://treestatus.mozilla-releng.net https://bugzilla.mozilla.org https://auth.mozilla.auth0.com https://stage.taskcluster.nonprod.cloudops.mozgcp.net/ https://artifacts.tcstage.mozaws.net/ https://.artifacts.tcstage.mozaws.net/ https://insights-api.newrelic.com; frame-src 'self' https://auth.mozilla.auth0.com; report-uri https://treeherder.mozilla.org/api/csp-report/",
	"referrer":"",
	"violated-directive":"font-src"
}

I'm not terribly familiar with CSP's so I looked into it a bit more. I think the blocked-uri: data is referring to data urls. But I don't think we want to add to allow data: for the font-src, since it could have security implications.

Also the https://fonts.gstatic.com can be removed. Navigating to that in the browser returns a 404.

So it seems we'll get violations logged and I think we only need to be concerned about them if it's something we actually should whitelist (versus someone trying to do something they shouldn't that's been blocked) and if that's the case then you can clearly see when its breaking the UI. Is that correct camd? I think Ed was the one who set this up.

Flags: needinfo?(sclements) → needinfo?(cdawson)

I see a note in the middleware.py file that explains why img-src allows data urls: "The data: is required for images that were inlined by webpack's url-loader (as an optimisation)"
https://github.com/mozilla/treeherder/blob/master/treeherder/middleware.py#L20

So that might be something to look into - if it pertains to fonts also.

I don't know this area too well myself, I must admit. But after reading the MDN CSP page, I'm inclined to agree with Sarah on this.

Flags: needinfo?(cdawson)
Attached image data: shortcut icon

There's some info in this commit:
https://github.com/mozilla/treeherder/commit/5b7209be2914fd1b1f5a3e5125b33c7b6d06b701

I think Ed wanted warnings + reporting to New Relic.

I've found this:
https://insights.newrelic.com/accounts/677903/explorer/events?eventType=CSP%20violation&duration=604800000&facet=referrer

There's 18.7k font CSP violations in the last 7 days.

I see "shortcut icon" using "data:"; is that related?

What is the actual violation happening? I don't understand very well what's happening.

In case we need help April King works for us.
I saw this add-on recommended (not that I understand it):
https://addons.mozilla.org/en-US/firefox/addon/laboratory-by-mozilla/

Not sure if we actually block anything:

Once this has been deployed to production, and we're happy that the policy is not too strict (ie blocking things we shouldn't be), we can switch it to being a full CSP header and not the report-only version, so it actually starts taking effect.

This screenshot shows that something happened on May 10 that brought about this explotion of CSP violations.

This is a link to a more narrow window:
https://insights.newrelic.com/accounts/677903/explorer/events?eventType=CSP%20violation&duration=88200000&facet=referrer&end_time=1589210160000

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: