CSP in internal about pages should be stricter
Categories
(Firefox :: Security, task)
Tracking
()
People
(Reporter: freddy, Unassigned)
References
()
Details
(Keywords: sec-audit)
There are various pages that allow remote images or inline styles. It would be nice to go through the existing reasons for all of those exceptions, audit them and see if we can re-write the code and make the CSP stricter. Naturally, this should be prioritized for pages that load in the parent process.
The search at https://searchfox.org/mozilla-central/search?q=img-src[^%3B]*http®exp=true provides a great starting point.
Reporter | ||
Comment 1•3 years ago
|
||
I did some additional analysis. The main violations are within the custom elements, which I am told are indeed required to be inline scripts to correctly apply.
If I remove the unsafe-inline
token for aboutaddons, we get violations and breakage in the test at toolkit/mozapps/extensions/test/browser/browser_html_detail_view.js
which are caused by the following files:
- https://searchfox.org/mozilla-central/rev/d21e359bd26dd0a7ba216472184d6fed8f0afd48/toolkit/content/widgets/menupopup.js#124
- https://searchfox.org/mozilla-central/rev/d21e359bd26dd0a7ba216472184d6fed8f0afd48/toolkit/mozapps/extensions/content/aboutaddons.js#659
All in all, the thing seems to be low-risk though:
- Style injections are generally low (or at most moderate) severity
- The code identified above is using hardcoded strings for CSS.
All in all, this is probably best patched by implementing inline-style/inline-script hash-src support from CSP3 and using that.
Reporter | ||
Updated•3 years ago
|
Description
•