Open Bug 1650058 Opened 5 years ago Updated 3 years ago

Content Security Policy warnings from Gmail are flagged as coming from chrome context

Categories

(Core :: DOM: Security, defect, P3)

Product:
Core
Component:
DOM: Security
Type:
defect

Tracking

()

People

(Reporter: nchevobbe, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog1])

Steps to reproduce

  1. Open a Firefox window
  2. Open the Browser Console, and make sure the "Show content messages" setting is turned off
  3. In firefox, navigate to a gmail page you are logged in

Expected results

As a result of this navigation, I shouldn't see any messages in the browser console

Actual results

I'm seeing Content Security Policy warnings in the Browser Console: Content Security Policy: Ignoring “'unsafe-inline'” within script-src: ‘strict-dynamic’ specified

Debugging this, I can see that the nsIScriptError the console receives has isFromChromeContext set to true, which explains why it's shown.

The message is emitted from https://searchfox.org/mozilla-central/rev/31d8600b73dc85b4cdbabf45ac3f1a9c11700d8e/dom/security/nsCSPParser.cpp#1097-1098

which calls https://searchfox.org/mozilla-central/rev/31d8600b73dc85b4cdbabf45ac3f1a9c11700d8e/dom/security/nsCSPContext.cpp#918-953, which ends up calling https://searchfox.org/mozilla-central/rev/31d8600b73dc85b4cdbabf45ac3f1a9c11700d8e/dom/security/nsCSPUtils.cpp#221-229

Here it seems that we flag the error as coming from chrome if we don't pass a innerWindowID

I don't know why we don't have it in this specific case, and it's hard to tell because I don't have information about the page the error occurs in. I tried to reproduce with a simple test case but couldn't (the message were flagged appropriately). So maybe those are from an iframe, or something different, I'm not sure.

Without looking Christoph says this might come from the "frame-ancestors" check which happens in the parent process before the content is loaded. Maybe we could pass a flag in that case to suppress it.

If it fails do frame-ancestor check warnings go on the Web console so developers can fix their site?

(In reply to Daniel Veditz [:dveditz] from comment #1)

Without looking Christoph says this might come from the "frame-ancestors" check which happens in the parent process before the content is loaded. Maybe we could pass a flag in that case to suppress it.

If it fails do frame-ancestor check warnings go on the Web console so developers can fix their site?

Yes, so most likely it happens because we parse the CSP within PerformCSPFrameAncestorAndXFOCheck which happens in the parent so we can enforce frame-ancestors checks.

Possibly passing a flag so as to don't log parser errors would fix that problem.

Blocks: csp-w3c-3
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]

The severity field is not set for this bug.
:ckerschb, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(ckerschb)
Severity: -- → S3
Flags: needinfo?(ckerschb)
Blocks: csp-console-logging
No longer blocks: csp-w3c-3

In bug 1645745 I am suppressing the warnings produced by the frame-ancestor code in the parent, which also should fix this.

You need to log in before you can comment on or make changes to this bug.