Closed Bug 1789751 Opened 2 years ago Closed 2 years ago

Remove localhost from the extension's base script-src CSP directive, at least from MV3

Categories

(WebExtensions :: General, task)

Product:
WebExtensions
Component:
General
Type:
task

Tracking

(firefox106 fixed)

Status:
RESOLVED FIXED
Milestone:
106 Branch
Tracking Flags:
Tracking Status
firefox106 --- fixed

People

(Reporter: robwu, Assigned: robwu)

References

(Blocks 2 open bugs)

Details

(Whiteboard: [addons-jira])

Attachments

(1 file)

Bug 1789751 - Remove localhost from MV3 CSP
48 bytes, text/x-phabricator-request
Details | Review

The base extension CSP contains "localhost". That does not make sense, as the goal of MV3 is to reject remote code execution in a privileged context.

It looks like we added localhost in bug 1594234:

Note that while the bug's intent is to make the CSP stricter, the patch actually allows http://localhost to be referenced even when it was not supported before.

I believe that this was a mistake, derived from Chrome's documentation at https://developer.chrome.com/docs/extensions/mv3/intro/mv3-migration/, which currently states

In addition, Manifest V3 disallows certain CSP modifications for extension_pages that were permitted in Manifest V2. The script-src, object-src, and worker-src directives may only have the following values:

That in its turn is likely a mistake from a Chrome engineer who implemented the CSP in MV3: Search for IsLocalHostSource in https://chromium.googlesource.com/chromium/src.git/+/11c67e5998f4dbb2d04b3e149c83e3f585846f2a%5E%21/. There are three occurrences:

  • The IsLocalHostSource helper that allows http://localhost and http://127.0.0.1
  • The original MV2 CSP validation logic, that used to allow a whole bunch of sources.
  • The new MV3 CSP validation logic that allows 'self', 'none' and localhost.

What I suspect to have happened is that whoever who implemented it looked at the MV2 implementation, and removed items that are considered remote/insecure, but mistakenly classified localhost as local/secure.

Despite that validation implementation, localhost can still not be loaded as a script in practice, because their base CSP (they call it "minimum CSP") does not contain localhost, only 'self' and 'unsafe-wasm-eval':

So in conclusion, I recommend to remove localhost from our base CSP.
With that, we can also reject http(s) script loads in extensions, even at the process level (e.g. like what CheckAllowLoadInSystemPrivilegedContext does for the system principal).

Assignee: nobody → rob
Status: NEW → ASSIGNED
Pushed by rob@robwu.nl:
https://hg.mozilla.org/integration/autoland/rev/9bee44dbde20
Remove localhost from MV3 CSP r=mixedpuppy
Blocks: 1790236

https://hg.mozilla.org/mozilla-central/rev/9bee44dbde20

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox106: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 106 Branch

(In reply to Rob Wu [:robwu] from comment #0)

So in conclusion, I recommend to remove localhost from our base CSP.
With that, we can also reject http(s) script loads in extensions, even at the process level (e.g. like what CheckAllowLoadInSystemPrivilegedContext does for the system principal).

I found bug 1767798 where this is tracked.

Blocks: 1767798
See Also: → 1864284
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: