1640128 - CSP not using default-src hash values for inline scripts

Status: RESOLVED FIXED

(Core :: DOM: Security, defect, P3)

Description

[Chris Ridd]

User Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0

Steps to reproduce:

A content security policy is defined with only the default-src directive defined, including the 'self' attribute and a sha256 hash for an inline script contained on the index page for a site.

Header:
Content-Security-Policy: default-src 'self' 'sha256-pOxDwCqb5AUqWCTTxWuI7DRUeHqfUA3I2k5TLZofgmw='

Script:
<script>function onSubmit(token) {document.getElementById("login-form").submit();}</script>

Actual results:

When accessing the site, Firefox blocks the inline script:

Content Security Policy: The page's settings blocked the loading of a resource at inline ("default-src").

If the hash is included in the script-src directive instead, Firefox loads the script.

Expected results:

The script should have been allowed given that the script-src directive was not defined and default-src serves as a fallback when script-src is not defined: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src

Chrome 81 and Edge Legacy 44 work as expected.

Comment 1

[BugBot [:suhaib / :marco/ :calixte]]

Bugbug thinks this bug should belong to this component, but please revert this change in case of error.

Comment 2

[Yury]

It is better to rename this bug as "Enforce 'hash-value' within default-src".
And link it with the a 4 year old bug "Enforce 'strict-dynamic' and nonce within default-src" https://bugzilla.mozilla.org/show_bug.cgi?id=1313937
Because it is essentially the same bug - all these tokens are still not supported in default-src directive.

Comment 4

[Tom S. (please needinfo tschuster)]

I have been looking bug 1313937 and this bug, because this is like one of the last missing pieces of CSP 2 support. bug 1313937 comment 16 also rightly points out that supporting 'unsafe-inline' in default-src, but not hashes is dangerous. We are supposed to ignore / invalidate the former when a hash or nonce is specified.

I would have liked to implement strict-dynamic at the same time, but we would probably have to change our overall CSP implementation significantly to achieve that. Currently when we encounter 'strict-dynamic' in any script-src we just invalidate almost all other sources. If we did that for default-src we would quickly run into issues: We want to keep using e.g. hosts for non script-like requests. I think to fix this we would have to basically get rid of our current invalidation approach and switch to an algorithmic approach closer to the current specification.

Comment 5

[Tom Schuster (MoCo)]

Attachment: Bug 1640128 - Support inline style/script hashes from default-src. r?freddyb

Comment 6

[Pulsebot]

Pushed by tschuster@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/cf7b6de16c41
Support inline style/script hashes from default-src. r=freddyb

Comment 7

[Noemi Erli[:noemi_erli]]

https://hg.mozilla.org/mozilla-central/rev/cf7b6de16c41

Comment 8

[Mike Kaply [:mkaply]]

Is there a preference or something that can be flipped to make this work on the 102 ESR (yes, I know it goes out of support this month, but someone has a big deployment and they are seeing this issue)

In hindsight, this is a great example of a bug that probably should have gone on the 102 ESR.

Comment 9

[Frederik Braun [:freddy]]

I think this bug builds upon a lot of other CSP improvements that might not be in ESR 102. Given this is a big deployment...Tom, can you take a look how much work it would be to get this into ESR 102?

Comment 10

[Mike Kaply [:mkaply]]

Sorry, to be clear, it's not worth it now. 102 goes out of support in a month.

Is there a workaround at all? We have someone having an issue in 102 (not sure how soon they can move to 115)

https://support.mozilla.org/en-US/questions/1422325

Comment 11

[Frederik Braun [:freddy]]

There's no pref, no known workaround AFAICT.