CSP script-src with hashes allow inline event handlers to match the hash (even if 'unsafe-hashes' is not present)
Categories
(Core :: DOM: Security, defect, P3)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr78 | --- | wontfix |
| firefox84 | --- | wontfix |
| firefox85 | --- | wontfix |
| firefox86 | --- | fix-optional |
People
(Reporter: Moritz-Wilhelm, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: regression, Whiteboard: [domsecurity-backlog1])
Attachments
(2 files)
unsafe-hashes-poc.png
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Steps to reproduce:
1.) Open Firefox
2.) visit about:blank or http://example.com
3.) open the console
4.) enter document.write(<meta http-equiv="Content-Security-Policy" content="script-src 'sha256-sOq4p3/IUmdg10+FT4za4DO2/MDyaP9Aw+TRyl1Y09A='">); document.write(<img src="" onerror="alert(42)">)
Alternatively use the following example html:
<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Security-Policy" content="script-src 'sha256-sOq4p3/IUmdg10+FT4za4DO2/MDyaP9Aw+TRyl1Y09A='">
</head>
<body>
<img src="" onerror="alert(42)">
</body>
</html>
Actual results:
Alertbox with 42 is showing although CSP is prohibiting it (see attachment).
This is actually the expected behavior for:
script-src 'sha256-sOq4p3/IUmdg10+FT4za4DO2/MDyaP9Aw+TRyl1Y09A=' 'unsafe-hashes'
Expected results:
Inline event handler script should be blocked due to the CSP.
Inline event handlers may only be executed if there is no script-src (or default-src) or if 'unsafe-inline' is present.
Hashes may only match to inline scripts (via script tags). The newest 'unsafe-hashes' keyword should allow inline event handlers (and javascript: urls) to match hashes [1], however, this is not supported in Firefox yet [2, 3].
[1] https://www.w3.org/TR/CSP3/#unsafe-hashes-usage
[2] https://caniuse.com/?search=unsafe-hashes
[3] https://bugzilla.mozilla.org/show_bug.cgi?id=1343950
|
Reporter | |
Comment 1•3 years ago
|
||
4.) enter document.write(
<meta http-equiv="Content-Security-Policy" content="script-src 'sha256-sOq4p3/IUmdg10+FT4za4DO2/MDyaP9Aw+TRyl1Y09A='">); document.write(<img src="" onerror="alert(42)">)
should be
4.) enter document.write(`<meta http-equiv="Content-Security-Policy" content="script-src 'sha256-sOq4p3/IUmdg10+FT4za4DO2/MDyaP9Aw+TRyl1Y09A='">`); document.write(`<img src="" onerror="alert(42)">`)
(markdown ate the backticks)
|
||
Comment 2•3 years ago
|
||
Bugbug thinks this bug should belong to this component, but please revert this change in case of error.
|
||
Updated•3 years ago
|
|
||
Comment 3•3 years ago
|
||
Attaching test case test easily on other systems.
|
|
||
Comment 4•3 years ago
|
||
I could not reproduce using the first steps to reproduce due to a syntax error; Step 4 may be incorrect.
I have managed to reproduce it with the HTML test page provided and the "42" text alert gets displayed.
I have attempted to provide a regression range, but it appears that bisection could not be finished. Results:
"2021-01-11T13:05:32: INFO : platform_version: 63.0a1
2021-01-11T13:07:18: INFO : Narrowed nightly regression window from [2018-07-14, 2018-07-16] (2 days) to [2018-07-15, 2018-07-16] (1 days) (~0 steps left)"
|
||
Updated•3 years ago
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
|
||
Updated•1 year ago
|
Description
•