1745566 - (CVE-2022-22761) "frame-ancestors" CSP directive not enforced for framed extension pages

Status: RESOLVED FIXED

(WebExtensions :: General, defect, P2)

Description

[Daniel Veditz [:dveditz]]

Mart from Flowcrypt wrote the security alias to let us know that their WebExtension uses a CSP with a frame-ancestors directive, and that Firefox does not enforce it when web content frames one of their web-accessible extension pages. In contrast, Chrome does. This exposes their content to the risk of clickjacking.

Their CSP is:
upgrade-insecure-requests; script-src 'self'; frame-ancestors https://mail.google.com 'self'; img-src 'self' https://*.googleusercontent.com data: blob:; frame-src 'self' blob:; worker-src 'self'; form-action 'none'; media-src 'none'; font-src 'none'; manifest-src 'none'; object-src 'none'; base-uri 'self'
https://github.com/FlowCrypt/flowcrypt-browser/blob/master/extension/manifest.json#L93

It appears we intentionally limit frame-ancestor checks to HTTP channels,
https://searchfox.org/mozilla-central/rev/9b600caf7e9133876e44af4cd4558ed4f02870cf/dom/security/nsContentSecurityUtils.cpp#896-897,905-907
but it seems quite a useful thing to do for web extensions also

Comment 1

[Daniel Veditz [:dveditz]]

Repro steps from the mail:

Steps to reproduce:
I have discovered this by accident while checking on how our firefox application behavior in the Firefox Web Browser v95.0 64. Our application's source code is used by both Chrome extension and Firefox addon via separate build so there shouldn't be much difference unless an inconsistency to the client software is present such as this one.

1. To replicate the issue, download our app at https://flowcrypt.com/download.

2. Install them for both Chrome and Firefox browsers, the latest version is preferable.

3. Consider the following PoC:

   data:text/html,<iframe src=$extension-uri$/chrome/elements/attachment_preview.htm

The $extension-uri$ may vary for example in Google Chrome browser, it uses chrome-extension://<id-of-extension> and moz-extension://<id-of-extension> for Firefox browser.

4. Replace $extension-uri$ by the dedicated uri from each extension downloaded from https://flowcrypt.com/download
5. Open the PoC link above for both Chrome and Firefox browsers and you will notice that the iframe is blocked in the chrome browser via CSP and the iframe on firefox browser is loaded.

Comment 2

[Daniel Veditz [:dveditz]]

Not sure if this should be a Web Extension bug (because it only affects Web Extensions) or moved to "DOM: Security" (because it's CSP)

Comment 3

[Rob Wu [:robwu]]

An extension that declares a resource in web_accessible_resources should be prepared to deal with the web loading the resource.
It would be useful to support frame-ancestors in the CSP though.

We need to apply two CSPs, like we do here:
https://searchfox.org/mozilla-central/rev/5909d5b7f3e247dddff8229e9499db017eb438e2/dom/base/Document.cpp#3660,3680-3684

While that code is in DOM::Security, I'd keep this in WebExtensions::General since it only affects extensions and requires mostly extension-specific knowledge.

I'll take a stab at fixing this; seems pretty straightforward.

Comment 4

[Rob Wu [:robwu]]

Attachment: Bug 1745566 - Support frame-ancestors for web-accessible extension resources

frame-ancestor support requires a CSP. While extensions can declare a
CSP for extension pages, the frame-ancestors directive was not enforced
because the implementation expected only HTTP channels.

This patch also adds support for channels from ExtensionProtocolHandler.

Comment 5

[Rob Wu [:robwu]]

I'll land bug 1735856 first, to avoid undesired information leakage.

Comment 6

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

Support frame-ancestors for web-accessible extension resources r=necko-reviewers,freddyb,dragana
https://hg.mozilla.org/integration/autoland/rev/b8af8d2e98573c2bc1f53b458fa46b629ec84eb8
https://hg.mozilla.org/mozilla-central/rev/b8af8d2e9857

Comment 7

[Mart Gil Robles]

Hello Team,

I have tested it right now and it was no longer reproducible so I think it was fixed now (Firefox Web Browser Version 95.0.2).

May I know If this is eligible for a reward, CVE entry - security advisory such as https://www.mozilla.org/en-US/security/advisories/mfsa2021-52/, or, a Hall of Fame entry?

Best,
Mart Gil

Comment 8

[Rob Wu [:robwu]]

I've set the bug flag so that its eligibility for a bounty can be evaluated at the next triage.

Comment 9

[Ryan VanderMeulen [:RyanVM]]

Given that we're already in RC week, it's probably too late for backports this cycle, but is this something we're eventually going to want on ESR for the next cycle? Also, let us know ASAP if you think this is something we should still aim to ship this cycle.

Comment 10

[Rob Wu [:robwu]]

Comment on attachment 9255900 [details]
Bug 1745566 - Support frame-ancestors for web-accessible extension resources

ESR Uplift Approval Request

• If this is not a sec:{high,crit} bug, please state case for ESR consideration: Extensions can override the default CSP for extension pages. The frame-ancestors CSP directive is usually used to stop pages from being embedded by third parties, and extension authors may expect the same for CSP directives of extension pages.
• User impact if declined: Extensions opted in to web-accessible extension pages AND relied on enforced frame-ancestors may be susceptible to click jacking.
• Fix Landed on Version:
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): The number of extensions that specify a frame-ancestors CSP without expecting its enforcement is likely next to none.

Comment 11

[Ryan VanderMeulen [:RyanVM]]

Comment on attachment 9255900 [details]
Bug 1745566 - Support frame-ancestors for web-accessible extension resources

Approved for 91.6esr.

Comment 12

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-esr91/rev/fa4ca32f2125

Comment 13

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

Attachment: advisory.txt