Open Bug 1723283 Opened 3 years ago Updated 3 years ago

Pages with CSP "frame-ancestors" fail to load in (permitted) frames if network.http.sendRefererHeader is set to "0"

Categories

(Core :: DOM: Security, defect, P3)

Product:
Core
Component:
DOM: Security
Platform:
Desktop
Linux
Type:
defect

Tracking

()

People

(Reporter: Manuel.Spam, Unassigned)

Details

(Whiteboard: [domsecurity-backlog1])

I don't know why, but for some reason in the backend there is some "link" between the Referer header and CSP "frame-ancestors".

Even if I spoof sending of the correct Referer header value from an Add-on it still fails to load.

Why is CSP linked to Referer? Can this be separated so that CSP still works even if the Referer is disabled for whatever reason?

There's no testcase here, the description is a little vague, and it's partly split between the summary and the description with important information in each. Please let me know if this is what you mean:

example.com
---> frames example.ORG

example.org/test has content-security-policy: frame-ancestors example.com

result: example.org frame doesn't load If you block the referrer using network.http.sendRefererHeader set to "0"

You also talked about spoofing the referrer, which I assume means setting network.http.referer.spoofSource to true. is that with or without turning off the referrer header with the above setting? If there's no referrer I wouldn't expect the spoofing pref to change anything.

Flags: needinfo?(Manuel.Spam)

(I don't know why this would be true -- we don't use the referrer to determine the ancestors, but maybe the referrer spoofing setting changes the thing we do check)

Sorry. You are right. I forgot to add a testcase for this issue.

As some background: I'm the author of: https://addons.mozilla.org/en-US/firefox/addon/togglereferrer/
I hate the "Referer" header as, in my opinion, noone ever has to know where I came from. So I usually surf the web with the Referer header completely off.

With the Referer completely off I came to a Reddit post like this one:
https://www.reddit.com/r/WatchPeopleCode/comments/le2v9w/live_now_26_inject_payloads_onto_a_usb_stick_ctf/

And if the Referer is disabled, all you see, instead of the Twitch player, is "Firefox Can’t Open This Page". Having a look at the developer tools reveals that "player.twitch.tv" contains the following header:
Content-Security-Policy: frame-ancestors https://cdn.embedly.com https://reddit.com https://www.reddit.com https://old.reddit.com https://new.reddit.com https://redditmedia.com

And this causes the embed to fail here if "network.http.sendRefererHeader" is on "0". As soon as I reset this preference (or enable the Referer in my Add-on) the frame embed works as expected. So for some reason Firefox seems to use the Referer internally for this CSP rule.

Expected behaviour: Firefox should have some other way to detect where the frame embed happened (origin URL) and should not depend on the Referer for this.

And about the spoofing part: It does not happen using any preference (my Add-on can't control this) but using a webRequest hook to only spoof the header entry itself.

Flags: needinfo?(Manuel.Spam)
Severity: -- → S4
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]
You need to log in before you can comment on or make changes to this bug.