CSP: unsafe-hashes calculation for javascript: URLs differs from Chrome and Safari
Categories
(Core :: DOM: Security, defect)
Tracking
()
People
(Reporter: su3604, Assigned: tschuster)
References
(Blocks 1 open bug)
Details
(Keywords: sec-moderate, Whiteboard: [domsecurity-backlog][post-critsmash-triage] [adv-main108-] )
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.87 Whale/3.16.138.22 Safari/537.36
Steps to reproduce:
- Go to the following page:
<html>
<head>
<meta http-equiv="Content-Security-Policy" content="script-src 'sha256-5jFwrAK0UV47oFbVg/iCCBbxD8X1w+QvoOUepu4C2YA='">
</head>
<html>
<iframe src="javascript:alert(1);">
</iframe>
</html>
- Inline script will be executed
Actual results:
Firefox only uses everything after "javascript:" (i.e., sha256("alert(1);")) to compute the hash value, hence, it executes the javascript url whe encountering the CSP: script-src 'sha256-5jFwrAK0UV47oFbVg/iCCBbxD8X1w+QvoOUepu4C2YA='.
In contrast to that, Chromium-based browsers and Safari use the entire attribute value (i.e., sha256("javascript:alert(1);")).
Thus when providing the hash value 'sha256-6rHS0m9l4sDJsB2k/Z3d/OJlJSv1H6Y6jKYIcK6zaks=' in the CSP, the javascript URL would be executed in Chromium-based browsers and Safari.
Expected results:
There is no clear description in spec on whether the Chromium/Safari or Firefox behavior is correct. So which browser's behavior is correct? How about making the spec a bit more clear about this?
FYI, Firefox does not support unsafe-hashes in the script-src directive, but instead, it behaves as if the unsafe-hashes expression is auto-enabled (https://bugzilla.mozilla.org/show_bug.cgi?id=1683506). In other words, even if the unsafe-hashes expression is not specified in script-src, the hash specified in script-src is matched for event handler or JavaScript URL navigation.
|
||
Comment 1•2 years ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::DOM: Security' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
|
||
Comment 2•2 years ago
•
|
||
bug 1683506 is a duplicate of bug 1644790. I'll make this depend on that one plus the "implement unsafe-hashes" bug. Those will fix most of what you're talking about.
We also need to make the hashing clear in the spec if two browser engines managed to implement it differently. We don't seem to have another bug to represent that, and this one was filed by the author of the spec GH issue so let's restrict the scope of this bug to the calculation of the hashes.
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
|
||
Comment 3•2 years ago
|
||
I understand how we got here: we don't support 'unsafe-hashes' and we're not actually whitelisting the javascript URL. But at the point we're (incorrectly) trying to execute it we're getting a CSP callback from the JS engine which sees it as an inline script. At that point it only has the script, not the context that it's a URL.
|
|
||
Comment 4•2 years ago
|
||
The severity field is not set for this bug.
:freddy, could you have a look please?
For more information, please visit auto_nag documentation.
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
Assignee | |
Comment 5•2 years ago
|
||
In bug 1797070 we also changed to hash calculation to follow the spec and thus also other browsers' behavior.
|
|
Assignee | |
Comment 6•2 years ago
|
||
As expected this was fixed by bug 1797070.
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
|
||
Comment 7•2 years ago
|
||
For advisory purposes, this is a dupe of Bug 1644790
|
|
||
Updated•1 year ago
|
Description
•