Open Bug 1683506 Opened 8 months ago Updated 7 months ago

CSP script-src with hashes allow inline event handlers to match the hash (even if 'unsafe-hashes' is not present)


(Core :: DOM: Security, defect, P3)

Firefox 84



Tracking Status
firefox-esr78 --- wontfix
firefox84 --- wontfix
firefox85 --- wontfix
firefox86 --- fix-optional


(Reporter: Moritz-Wilhelm, Unassigned)


(Blocks 1 open bug)


(Keywords: regression, Whiteboard: [domsecurity-backlog1])


(2 files)

Attached image unsafe-hashes-poc.png

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36

Steps to reproduce:

1.) Open Firefox
2.) visit about:blank or
3.) open the console
4.) enter document.write(<meta http-equiv="Content-Security-Policy" content="script-src 'sha256-sOq4p3/IUmdg10+FT4za4DO2/MDyaP9Aw+TRyl1Y09A='">); document.write(<img src="" onerror="alert(42)">)

Alternatively use the following example html:
<!DOCTYPE html>
<html lang="en">
<meta http-equiv="Content-Security-Policy" content="script-src 'sha256-sOq4p3/IUmdg10+FT4za4DO2/MDyaP9Aw+TRyl1Y09A='">
<img src="" onerror="alert(42)">

Actual results:

Alertbox with 42 is showing although CSP is prohibiting it (see attachment).

This is actually the expected behavior for:
script-src 'sha256-sOq4p3/IUmdg10+FT4za4DO2/MDyaP9Aw+TRyl1Y09A=' 'unsafe-hashes'

Expected results:

Inline event handler script should be blocked due to the CSP.
Inline event handlers may only be executed if there is no script-src (or default-src) or if 'unsafe-inline' is present.
Hashes may only match to inline scripts (via script tags). The newest 'unsafe-hashes' keyword should allow inline event handlers (and javascript: urls) to match hashes [1], however, this is not supported in Firefox yet [2, 3].


4.) enter document.write(<meta http-equiv="Content-Security-Policy" content="script-src 'sha256-sOq4p3/IUmdg10+FT4za4DO2/MDyaP9Aw+TRyl1Y09A='">); document.write(<img src="" onerror="alert(42)">)

should be
4.) enter document.write(`<meta http-equiv="Content-Security-Policy" content="script-src 'sha256-sOq4p3/IUmdg10+FT4za4DO2/MDyaP9Aw+TRyl1Y09A='">`); document.write(`<img src="" onerror="alert(42)">`)
(markdown ate the backticks)

Bugbug thinks this bug should belong to this component, but please revert this change in case of error.

Component: Untriaged → DOM: Security
Product: Firefox → Core
Blocks: csp-w3c-3
Severity: -- → S3
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]
Attached file testcasexyz.html

Attaching test case test easily on other systems.

I could not reproduce using the first steps to reproduce due to a syntax error; Step 4 may be incorrect.
I have managed to reproduce it with the HTML test page provided and the "42" text alert gets displayed.

I have attempted to provide a regression range, but it appears that bisection could not be finished. Results:
"2021-01-11T13:05:32: INFO : platform_version: 63.0a1
2021-01-11T13:07:18: INFO : Narrowed nightly regression window from [2018-07-14, 2018-07-16] (2 days) to [2018-07-15, 2018-07-16] (1 days) (~0 steps left)"

Has Regression Range: --- → yes
Has STR: --- → yes
Ever confirmed: true
Keywords: regression
OS: Unspecified → All
Hardware: Unspecified → Desktop
You need to log in before you can comment on or make changes to this bug.