Closed Bug 1655269 Opened 4 years ago Closed 4 years ago

Enabling CSP causes add-ons to receive rejection notices

Categories

(WebExtensions :: General, defect)

Product:
WebExtensions
Component:
General
Version:
78 Branch
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1446231

People

(Reporter: github, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0

Steps to reproduce:

Enabled script-src 'self' for Content-Security-Policy in the headers with a simple web document containing no scripts for testing.
Running either Adblock Ultimate or AdGuard (both recommended add-ons by Mozilla).

Actual results:

The web developer console shows up two content blocked notifications caused by add-ons:
preload.js
sandbox eval code:9:350
Disabling add-ons removes these warnings.

Expected results:

The CPS should not trigger these notifications for add-ons as they are not part of the document being processed. There seems to be some add-on script leakage.

Bugbug thinks this bug should belong to this component, but please revert this change in case of error.

Component: Untriaged → Add-ons Manager
Product: Firefox → Toolkit

Hello,

Thank you for submitting this bug report.

I’ve attempted to reproduce the issue based on the STR provided and on my technical knowledge, however, unfortunately, my technical skills regarding this matter are a bit lacking it seems, and I would like to request more detailed steps to reproduce in addition to the simple web document with no scripts you mentioned in order to properly test the issue.

Thank you!

Flags: needinfo?(github)
Summary: Enabling CPS causes add-ons to receive rejection notices → Enabling CSP causes add-ons to receive rejection notices

I was doing this by modifying the headers via an Apache server, but you can reproduce the same issue by using meta tags. The following HTML document will allow you to reproduce it:

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<meta http-equiv="Content-Security-Policy" content="script-src 'self'">
</head>
<body>
<a href="test.htm">Testing</a>
</body>
</html>

If you have Adblock Ultimate (or AdGuard) enabled and open the script in Firefox with Web Console open (Ctrl+Shift+K), you will see the error message; you may need to refresh the page. If you disable the add-on, then the error message goes away. Note that you may only see the sandbox eval" error, but if you disable and re-enable the add-on, then you will see the preload.js report error. Larger scripts seem to cause both to appear automatically. I'm sure there are other add-ons that would cause this too, but I know that those two will allow you to reproduce it.

I can also confirm that Adblock Ultimate does not cause the same problem in Chrome.

The issue is that Firefox is reporting a violation of the content-security-policy on the page because it is also analysing background add-ons. Firefox should not be looking at add-on scripts if a website has enabled script-src in a CPS. This could look bad for a website developers because after going to the lengths of ensuring their documents are safe, it might make visitors think that it is their site that has "unsafe" content, when it is actually the visitor's own browser that is reporting itself.

I hope that helps to clarify the issue and allow you reproduce it.

Flags: needinfo?(github)

Hello,

Thank you for the quick response!
Based on the information you provided, I’ve managed to partially reproduce the issue on the latest Nightly (81.0a1/20200727203201), Beta (79.0/20200720193547) and Release (78.0.2/20200708170202) under Windows 10 Pro 64-bit and Ubuntu 16.04 LTS.

What I’ve meant with only partially reproducing the issue is that I seem to only be able to get the Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). sandbox eval code:9:350 error to display each time but not the preload.js one as well (even when disabling/enabling the add-on as you mentioned).
Furthermore, the error I do manage to get will only be displayed for AdBlocker Ultimate and not for AdGuard AdBlocker.

I’ve also attempted to find a regression window, targeting the sandbox eval code:9:350 error specifically, from 2018-01-01 until the present day, having narrowed it down to 2019-09-19, with the following pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=b3ecb5aef45a8fb74764bb32e54567d57ed00383&tochange=19704452bd548d0c36d601d609cfcfe2c3e0caa2 (mozregression was unable to narrow it down further as it was failing to find new builds to test).
However, please note that the issue at hand might not actually be a regression, as for all tested builds so far, an error was displayed. For older builds - Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). webp.htm:1:1 (webp is the name of the web document I created) or for newer builds - Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). ExtensionContent.jsm:571:350.

Status: UNCONFIRMED → NEW
Has STR: --- → yes
status-firefox78: --- → affected
status-firefox79: --- → affected
status-firefox81: --- → affected
Ever confirmed: true

It's strange that you were unable to get the preload.js error to appear. It could be to do with you running it in a local window. It might help if I point you to a live website I found is enforcing CPS. It's quite ironic that there are lots of blogs/tutorials out there that talk about it, but their own website doesn't use it! Anyway, the following URL is both a tutorial and a website that practises what it preaches. There are some other errors in there that the developer doesn't seem to be aware of - easily done! - but if you visit the page below and press Ctrl+Shift+K you will see the sandbox eval error immediately:
https://www.projectseven.net/php-content-security-policy.php
If you then leave that tab open and go to your Add-ons, turn Adblock Ultimate off and back on again, you should see the preload.js error appear. Refreshing the page will lose the preload.js error, but the eval error is persistent. If you turn Adblock Ultimate off and refresh the page, then neither errors will appear.

I also found that Adguard Adblocker behaved the same. In addition, if I use a different ad blocker, like Adblock Plus which is incredibly popular based on having the most users, but isn't "recommended" by Mozilla, none of the errors appear. However, the issue remains that it is no place for Firefox to be assessing the behaviour of add-ons in a clients browser when a website enforces CPS for it's own scripts.

I hope this extra information helps your investigation.

Change the status for beta to have the same as nightly and release.
For more information, please visit auto_nag documentation.

status-firefox80: --- → affected

Hello Colin,

Thank you for the additional details ! It is exactly as you mentioned in the last comment. This is what I’ve managed to obtain as results this time around:

I. AdBlocker Ultimate:

  1. Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). sandbox eval code:9:350 error
  2. Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). preload.js:149:52 error after disabling and re-enabling the add-on

II. AdGuard AdBlocker:

  1. Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). sandbox eval code:20:382 error
  2. Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). preload.js:136:15 error after disabling and re-enabling the add-on

III. Adblock Plus: No errors whatsoever

Note that the issue was reproduced on the latest Nightly (81.0a1/20200728213249), Beta (80.0b1/20200728204253) and Release (79.0/20200720193547) under Windows 10 Pro 64-bit and Ubuntu 16.04 LTS.

Component: Add-ons Manager → General
Product: Toolkit → WebExtensions
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE

Hi Rob, I'm very new to this procedure of reporting bugs, but I notice that you've marked this as a duplicate of bug 1446231 and that it is now resolved? When I looked at that bug it seems different, and it is from two years ago. Then a few minutes later you marked that bug as a duplicate of this one. Does this mean that the latest release of Firefox will now fix this bug? Or does having this bug marked as "resolved" simply mean it's not directly relevant any more, but has been added to the ever-growing pile of examples to demonstrate a currently unresolved issue? I want Firefox to be as good as it can be, which is why I've taken time to report an issue.

Hi Colin, welcome and thanks for reporting the bug.

Although I didn't mention it before, I did looked up the source code of these ad blockers, and confirmed that they are trying to insert an inline script in the page to support their functionality. This does not work in some pages because Firefox is currently enforcing the content security policy for these scripts despite them coming from extensions. Bug 1446231 is used to track a potential improvement of this feature. As you can see in that bug, it hasn't been touched for a while though.

Or does having this bug marked as "resolved" simply mean it's not directly relevant any more, but has been added to the ever-growing pile of examples to demonstrate a currently unresolved issue?

The "RESOLVED" state does not mean that the bug is fixed.
"RESOLVED" means that this specific bug report has a resolution, and the "Resolution" is DUPLICATE.
When a bug is fixed, the resolution will become FIXED or VERIFIED.
There is some more explanation on the status/resolution of bugs at https://developer.mozilla.org/en-US/docs/Mozilla/QA/A_Bugs_Life

then a few minutes later you marked that bug as a duplicate of this one.

I can see where your confusion comes from. When I marked this bug as a duplicate of the other bug, the other bug automatically got a comment that referenced this bug, so that others on that bug can see that this bug has been marked as a duplicate of the other bug.
It should be read as "The following bugs are a Duplicate of this bug: 1655269"

Thank you for your reply. I appreciate that you have an extremely busy job keeping track and managing bugs like this. That has certainly clarified. I wish you and your team the best of luck in resolving this and other issues. And thank you for the hard work you all do to make Firefox the great.

Note that this is caused by poor code in the add-on. For example, uBlock Origin which is an open source ad blocker for Firefox and Chrome doesn't have any problems with strict CSP headers. Perhaps Mozilla should recommend that add-ons for ad blocking instead of other add-ons with known issues with CSP?

You need to log in before you can comment on or make changes to this bug.