Closed Bug 1692576 Opened 5 years ago Closed 4 years ago

CSP Hash is not respected

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Version:
Firefox 85
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1640128

People

(Reporter: admin, Assigned: n.goeggi)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36

Steps to reproduce:

Navigate to https://mahjong4friends.com

The CSP contains the hash generated by Chrome DevTools, as well as standard SHA256 hashing. Since Firefox does not provide the correct hash when a CSP issue is thrown, I can't tell if the hash is being computed improperly, or what exactly is going on here. My CSP works correctly in Chrome, and I was unable to resolve the issue by reformatting my CSP into a single line, or by removing the unnecessary declarations.

It is possible this is an issue on my end, but the generic error message, lack of warnings, and successful loading in Chrome have made it impossible to debug.

This affects both my laptop and my phone, so it is not a device specific issue.

Actual results:

CSP blocks loading of an inline script, causing the entire page to end up blank

Expected results:

The script should have loaded, as the hash matched.

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Security' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Component: Untriaged → DOM: Security
Product: Firefox → Core

This sounds bad -- why aren't more sites breaking? Need to figure out what we're computing differently from Chrome. We do have a lot of tests for this -- I wonder if there's some special character in there that's tripping us up.

Flags: needinfo?(ckerschb)

It did seem extremely odd, as the use case is common enough I would expect it to be near bulletproof. It's possible something is wrong with my CSP that is causing Firefox to read it improperly, but the error is generic, and everything is working fine in Safari as well as Chrome.

Retyped the CSP without any of the 192... or 127... stuff, and in just one line, but it's still erroring - it's even erroring with just the hash alone - so it's not making any sense to me.

Assignee: nobody → ngogge
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true

The underlying reason for this bug is filed as Bug 1640128. Firefox does currently not allow hashes for inline scripts to be specified in the default-src directive, only hashes specified in script-src are respected.

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE

Thanks Niklas for looking into it!

FWIW, the page https://mahjong4friends.com uses a csp of
<meta http-equiv="Content-Security-Policy" content="default-src 'sha256-pwfBaPA/jB4ag128SbKDs6ETaosLphVTBO0ui9gafNc='; ... > and Firefox currently does not support hash-src in default-src, only in script-src.

For the sake of completeness there is also Bug 1313937#c1 which talks about not enforcing strict-dynamic within default-src. I guess once we tackle of all of hash, nonce and strict-dynamic it will be in either of those bugs.

Flags: needinfo?(ckerschb)
You need to log in before you can comment on or make changes to this bug.