Closed Bug 1738675 Opened 3 years ago Closed 3 years ago

CSP in internal about pages should be stricter

Categories

(Firefox :: Security, task)

task

Tracking

()

RESOLVED FIXED

People

(Reporter: freddy, Unassigned)

References

()

Details

(Keywords: sec-audit)

There are various pages that allow remote images or inline styles. It would be nice to go through the existing reasons for all of those exceptions, audit them and see if we can re-write the code and make the CSP stricter. Naturally, this should be prioritized for pages that load in the parent process.

The search at https://searchfox.org/mozilla-central/search?q=img-src[^%3B]*http&regexp=true provides a great starting point.

I did some additional analysis. The main violations are within the custom elements, which I am told are indeed required to be inline scripts to correctly apply.

If I remove the unsafe-inline token for aboutaddons, we get violations and breakage in the test at toolkit/mozapps/extensions/test/browser/browser_html_detail_view.js which are caused by the following files:

All in all, the thing seems to be low-risk though:

  • Style injections are generally low (or at most moderate) severity
  • The code identified above is using hardcoded strings for CSS.

All in all, this is probably best patched by implementing inline-style/inline-script hash-src support from CSP3 and using that.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.