Open Bug 1683506 Opened 8 months ago Updated 7 months ago

CSP script-src with hashes allow inline event handlers to match the hash (even if 'unsafe-hashes' is not present)

Categories

(Core :: DOM: Security, defect, P3)

Firefox 84
Desktop
All
defect

Tracking

()

Tracking Status
firefox-esr78 --- wontfix
firefox84 --- wontfix
firefox85 --- wontfix
firefox86 --- fix-optional

People

(Reporter: Moritz-Wilhelm, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: regression, Whiteboard: [domsecurity-backlog1])

Attachments

(2 files)

Attached image unsafe-hashes-poc.png

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36

Steps to reproduce:

1.) Open Firefox
2.) visit about:blank or http://example.com
3.) open the console
4.) enter document.write(<meta http-equiv="Content-Security-Policy" content="script-src 'sha256-sOq4p3/IUmdg10+FT4za4DO2/MDyaP9Aw+TRyl1Y09A='">); document.write(<img src="" onerror="alert(42)">)

Alternatively use the following example html:
<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Security-Policy" content="script-src 'sha256-sOq4p3/IUmdg10+FT4za4DO2/MDyaP9Aw+TRyl1Y09A='">
</head>
<body>
<img src="" onerror="alert(42)">
</body>
</html>

Actual results:

Alertbox with 42 is showing although CSP is prohibiting it (see attachment).

This is actually the expected behavior for:
script-src 'sha256-sOq4p3/IUmdg10+FT4za4DO2/MDyaP9Aw+TRyl1Y09A=' 'unsafe-hashes'

Expected results:

Inline event handler script should be blocked due to the CSP.
Inline event handlers may only be executed if there is no script-src (or default-src) or if 'unsafe-inline' is present.
Hashes may only match to inline scripts (via script tags). The newest 'unsafe-hashes' keyword should allow inline event handlers (and javascript: urls) to match hashes [1], however, this is not supported in Firefox yet [2, 3].

[1] https://www.w3.org/TR/CSP3/#unsafe-hashes-usage
[2] https://caniuse.com/?search=unsafe-hashes
[3] https://bugzilla.mozilla.org/show_bug.cgi?id=1343950

4.) enter document.write(<meta http-equiv="Content-Security-Policy" content="script-src 'sha256-sOq4p3/IUmdg10+FT4za4DO2/MDyaP9Aw+TRyl1Y09A='">); document.write(<img src="" onerror="alert(42)">)

should be
4.) enter document.write(`<meta http-equiv="Content-Security-Policy" content="script-src 'sha256-sOq4p3/IUmdg10+FT4za4DO2/MDyaP9Aw+TRyl1Y09A='">`); document.write(`<img src="" onerror="alert(42)">`)
(markdown ate the backticks)

Bugbug thinks this bug should belong to this component, but please revert this change in case of error.

Component: Untriaged → DOM: Security
Product: Firefox → Core
Blocks: csp-w3c-3
Severity: -- → S3
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]
Attached file testcasexyz.html

Attaching test case test easily on other systems.

I could not reproduce using the first steps to reproduce due to a syntax error; Step 4 may be incorrect.
I have managed to reproduce it with the HTML test page provided and the "42" text alert gets displayed.

I have attempted to provide a regression range, but it appears that bisection could not be finished. Results:
"2021-01-11T13:05:32: INFO : platform_version: 63.0a1
2021-01-11T13:07:18: INFO : Narrowed nightly regression window from [2018-07-14, 2018-07-16] (2 days) to [2018-07-15, 2018-07-16] (1 days) (~0 steps left)"

Status: UNCONFIRMED → NEW
Has Regression Range: --- → yes
Has STR: --- → yes
Ever confirmed: true
Keywords: regression
OS: Unspecified → All
Hardware: Unspecified → Desktop
You need to log in before you can comment on or make changes to this bug.