Use CSP on Fenix error pages and other resources
Categories
(Fenix :: General, defect)
Tracking
(firefox81 wontfix, firefox84 wontfix, firefox85 fixed)
People
(Reporter: Gijs, Assigned: petru)
References
Details
(Keywords: csectype-priv-escalation, sec-high, Whiteboard: [post-critsmash-triage][adv-main85-])
bug 1658144 and bug 1657055 are using XSS in the fenix error page to bypass cert warnings.
Now, of course Fenix should be getting its sanitization right, but I would also expect us to be able to lock this down with CSP. We already have CSP in place (at least on desktop; I assume also for Fenix?), can we make it a lot more strict so as to avoid these issues?
Reporter | ||
Comment 1•4 years ago
|
||
Huh, so, having looked into this a bit more: as far as I can tell, the Fenix attacks cannot happen on desktop (CSP only allows script from chrome:
, so inline script wouldn't run), and the issue is that Fenix's error page has no CSP and extensively uses innerHTML
. Going to move this bug as a result.
Reporter | ||
Updated•4 years ago
|
Comment 2•4 years ago
|
||
On desktop the CSP and innerHTML sanitization formed a "chrome sandbox" that has saved our bacon several times. Missing that is a severe lack.
Assignee | ||
Comment 3•4 years ago
|
||
Filed https://github.com/mozilla-mobile/fenix/issues/16248 for fixing this on Fenix.
Assignee | ||
Comment 4•4 years ago
|
||
Gijs, can you please add me to the tickets from comment 0?
I expect there to see more details about how Fenix was/is affected to then work on a solution.
Reporter | ||
Comment 5•4 years ago
|
||
(In reply to Petru-Mugurel Lingurar [:petru] from comment #4)
Gijs, can you please add me to the tickets from comment 0?
I expect there to see more details about how Fenix was/is affected to then work on a solution.
I've added you. I think the CSP here should block all script other than that from chrome: URIs. This will mean any inline script will stop working, so we should also switch from any existing inline JS event handlers to using dynamically added JS event handlers.
It'd probably be a good idea to do something similar for inline styles, though I'm less worried about those.
Reporter | ||
Comment 6•4 years ago
|
||
Oh, and note that when I looked at this, it was a bit "interesting" because my impression was that some of the markup lives in android components, some in fenix, and ditto for script. I don't know how the interdependencies "should" work and if changing AC would mean updating consumers for the new error page world.
Comment 7•4 years ago
|
||
Stefan what is left to do here? This bug gets included in a list of high/crit sec bugs with no owner.
Assignee | ||
Comment 8•4 years ago
|
||
I understand we have something like this on iOS but AC / GV might not yet support this.
Christian, do you know if we have the right CSP APIs to leverage for this in AC or they have to be built now?
Comment 9•4 years ago
|
||
Christian, do you know if we have the right CSP APIs to leverage for this in AC or they have to be built now?
We don't currently have any A-C APIs for this, but I am also not sure we should need one. As I understand the ticket, the problem is that CSP rules are not applied for pages served from Android assets (resource://
URIs), right?
We could add a <meta http-equiv="Content-Security-Policy"...
tag to our error page to verify and talk to the GV team to understand what we'd need to make this work. Currently, we simply return the resoure://
URI from onLoadError
and let GV load the local page.
Comment 10•4 years ago
|
||
(In reply to Christian Sadilek [:csadilek] from comment #9)
We could add a
<meta http-equiv="Content-Security-Policy"...
tag to our error page to verify and talk to the GV team to understand what we'd need to make this work. Currently, we simply return theresoure://
URI fromonLoadError
and let GV load the local page.
This is sort-of what we do on Firefox for Desktop.
You might have to rewrite some bits of the page so that JavaScript resources are in their own file (instead of inline-events), but these are easy bugs which you could even hand out to contributors.
Once that's done, you can add a CSP via <meta>
like we do on Desktop.
Our CSP is <meta http-equiv="Content-Security-Policy" content="default-src chrome:; object-src 'none'">
. I suppose you'll have to add resource:
, if I'm understanding comment 9 correctly.
Assignee | ||
Comment 11•4 years ago
|
||
After reversing Sebastian's patch from https://bugzilla.mozilla.org/show_bug.cgi?id=1657055 I tested with
<meta http-equiv="Content-Security-Policy" content="default-src resource:; object-src 'none'">
everything looks ok, https://self-signed.badssl.com/?%3Cimg%20src%3D%23%20onerror%3DacceptAndContinue(true)%3E doesn't bypass the error page
but our inline js also doesn't work.
To get the scripts working I'd have to add script-src resource: 'unsafe-inline'
after which the above url would again bypass the error page.
So it looks like we first need to refactor the pages to not use inline scripts after which a simple CSP header will block XSS.
Assignee | ||
Comment 12•4 years ago
•
|
||
Asking csadilek what should be the course of action here:
- Use
<meta http-equiv="Content-Security-Policy" content="default-src resource:; script-src resource: 'unsafe-inline'; object-src 'none'">
which must be used in conjuction with the proper sanitization (like in #1657055) - Use
<meta http-equiv="Content-Security-Policy" content="default-src resource:; object-src 'none'">
but having to refactor all the error pages to not use inline scripts.
Comment 13•4 years ago
|
||
The bug is just called "use CSP", but that's not super accurate. A CSP with 'unsafe-inline' is not adding any security.
You will only find a meaningful XSS mitigation if you refactor your internal pages not to use inline scripts.
Comment 14•4 years ago
|
||
Thanks :petru for testing and verifying, and :freddy for confirming how this should work with CSP!
So, yes, we would need to add the latter: <meta http-equiv="Content-Security-Policy" content="default-src resource:; object-src 'none'">
and refactor our error pages (error_page_js.html in A-C, as well as high_risk_error_pages.html and low_and_medium_rsik_error_pages.html in Fenix) to not rely on inline scripts.
Assignee | ||
Comment 15•4 years ago
|
||
The error pages that Fenix uses were refactored to not contain inline scripts anymore and then Content-Security-Policy" content="default-src resource:; object-src 'none'
was set.
QA verified that after this there weren't any new issues in https://github.com/mozilla-mobile/fenix/issues/16248.
Closing this ticket as FIXED.
Updated•3 years ago
|
Updated•3 years ago
|
Updated•3 years ago
|
Updated•3 years ago
|
Updated•2 years ago
|
Description
•