1661423 - Content-Security-Policy upgrade-insecure-requests is applied to <form>s on 127.0.0.0/8

Status: RESOLVED FIXED

(Core :: DOM: Security, defect, P2)

Description

[Dennis Schubert [:denschub]]

For a simple form like

<form>
  <input type="submit">
</form>

served with a Content-Security-Policy: upgrade-insecure-requests header, the form submission is upgraded to HTTPS even on localhost/127.0.0.0/8.

Given the existence of bug 1447784, the test in dom/security/test/csp/test_upgrade_insecure_loopback.html (which only is testing XHR, not form submissions), and the fact that Chrome seems not to upgrade, I assume this is a bug. :)

Comment 1

[Christoph Kerschbaumer [:ckerschb}]

Yeah, that is a bug, in fact we are missing the check nsMixedContentBlocker::IsPotentiallyTrustworthyLoopbackURL(aURI) in HTMLFormElement.

Probably worth auditing all the other places where we do document->GetUpgradeInsecureRequests or loadinfo->GetUpgradeInsecureRequests.

Maybe we can also extend the loopback test.

Freddy, maybe something for Jens?

Comment 2

[Frederik Braun [:freddy]]

Attachment: Bug 1661423 - dont apply upgrade-insecure-requests to localhost form submissions r=ckerschb

Comment 3

[Frederik Braun [:freddy]]

I have a patch, but the test looks a bit ugly now.
For some reason, the existing request from XHR didn't show up in the observer and I can't easily look at the result of the <form>, so now I have two methods to check for the tests to complete. Testcase 1 still uses the XHR response and I introduced an specialpowers-http-notify-request observer for testcase 2.

Comment 4

[Pulsebot]

Pushed by fbraun@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/299dd2d878ac
dont apply upgrade-insecure-requests to localhost form submissions r=ckerschb

Comment 5

[Narcis Beleuzu [:NarcisB]]

https://hg.mozilla.org/mozilla-central/rev/299dd2d878ac