Open Bug 1738215 Opened 4 years ago Updated 3 years ago

Differing CSP behavior for synthetic Response from service works in Firefox and Chrome

Categories

(Core :: DOM: Security, defect, P3)

Product:
Core
Component:
DOM: Security
Version:
Firefox 93
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: sdissegna, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog2])

Attachments

(1 file)

bug-example.zip
1.37 KB, application/zip
Details
Attached file bug-example.zip

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:93.0) Gecko/20100101 Firefox/93.0

Steps to reproduce:

Serve the attached website (e.g. using python3 -m http.server) and navigate to the page. Reload the page once. Open the developer console network tab, then click on the button in the page.

Actual results:

In Firefox, you'll see the message "Content Security Policy: The page’s settings blocked the loading of a resource at http://localhost:8000/sw.js (“img-src”).", and the request will show a CSP error in the network tab.

In Chrome, the request for the fake image will succeed.

Expected results:

I'm not sure which is the correct behavior between Chrome and Firefox. The CSP in the page allows requests to example.com subdomains, and the service worker handles all such requests and returns a synthetic Response.

On Firefox, this works only if img-src contains both the service worker origin AND the request origin, while I'd expect to need to whitelist only the request origin, as happens in Chrome.

Component: Untriaged → DOM: Security
Product: Firefox → Core

Isn't that kind of like the Service Worker is doing a redirect there? Why shouldn't the Service Worker block it?

Does the Service Worker itself have a CSP on it?

An interesting test would be two pages with different CSPs using the same service worker. I assume the CSP rules are coming from the triggering principal being passed along and the service worker should have different enforcement. But then what if the data gets cached by the SW when the page that allows it requests it -- should that then be served to the page that wanted to block it?

Honestly I'm not sure what the right thing here is.

Flags: needinfo?(annevk)

Okay, the document has this CSP: default-src 'none'; img-src https://*.example.com; script-src 'self';. The service worker does not have a CSP so no CSP checks will run there. If the service worker gets a .example.com request it returns a synthetic response instead. The document does a .example.com request for the img element.

There are two relevant CSP checks:

Both of which are invoked from Fetch and apply to the document. Notably the second one is invoked after the synthetic response gets a clone of the URL list of the request.

I think the combination of all these facts means that both CSP checks ought to pass and Firefox has a bug.

Flags: needinfo?(annevk)

The severity field is not set for this bug.
:ckerschb, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(ckerschb)
Severity: -- → S3
Priority: -- → P3
Whiteboard: [domsecurity-backlog2]
Blocks: csp-w3c-3
Flags: needinfo?(ckerschb)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: