Enforce restrictions on script-src-elem and script-src-attr in the content_security_policy field of extensions
Categories
(WebExtensions :: General, task, P3)
Tracking
(Not tracked)
People
(Reporter: robwu, Unassigned)
References
Details
(Whiteboard: [addons-jira])
With support for script-src-elem/script-src-attr landing in Firefox (bug 1529337), we should also add unit tests to verify that extensions cannot enable the use of remote code via a customized content_security_policy field in manifest.json.
MV3 extensions should not be able to use script-src-elem with remote code at all. script-src-attr should not be allowed either.
MV2 extensions can currently use remote URLs (e.g. https:) via script-src, but that is forbidden by the store policy of addons.mozilla.org. For simplicity, we can use the same implementation for MV2/MV3 (i.e. disallow/ignore use of script-src-attr, and disallow remote code in script-src-elem).
We need to ensure that script-src-elem/script-src-attr cannot be used to run remote code. To start with, we need unit tests, and if they fail, we need to investigate and fix the implementation if needed.
The following test files are of interest:
- https://searchfox.org/mozilla-central/rev/0d7e190891e62276cf934cc0b96b22e8e086ddb9/toolkit/components/extensions/test/xpcshell/test_csp_custom_policies.js
- https://searchfox.org/mozilla-central/rev/0d7e190891e62276cf934cc0b96b22e8e086ddb9/toolkit/components/extensions/test/xpcshell/test_csp_validator.js
- https://searchfox.org/mozilla-central/rev/0d7e190891e62276cf934cc0b96b22e8e086ddb9/toolkit/components/extensions/test/xpcshell/test_ext_content_security_policy.js
- https://searchfox.org/mozilla-central/source/toolkit/components/extensions/test/xpcshell/test_ext_contentscript_csp.js
|
Reporter | |
Updated•2 years ago
|
|
|
Reporter | |
Comment 1•2 years ago
|
||
Test case below. Result: The CSP validator accepts the script-src-elem and script-src-attr directives, but the execution is still blocked by the base CSP, because data: is not in the base CSP.
However, script-src-elem https: would be accepted because https: is in the base policy: https://searchfox.org/mozilla-central/rev/fa71140041c5401b80a11f099cc0cd0653295e2c/toolkit/components/extensions/WebExtensionPolicy.cpp#45-48
manifest.json
{
"name": "test",
"version": "1",
"manifest_version": 2,
"background": {
"scripts": ["background.js"]
},
"content_security_policy": "default-src 'none'; script-src-elem 'self' https: http: data:; script-src-attr 'unsafe-inline'"
}
background.js
var s = document.createElement('script');
s.src = 'data:,console.log("FAIL string based code executed.")';
document.body.append(s)
|
|
Reporter | |
Comment 2•2 years ago
|
||
The feature has landed but is currently behind the security.csp.script-src-attr-elem.enabled pref, which defaults to true on Nightly. It will be enabled by default on release in bug 1782513.
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
||
Updated•10 months ago
|
Description
•