Remove localhost from the extension's base script-src CSP directive, at least from MV3
Categories
(WebExtensions :: General, task)
Tracking
(firefox106 fixed)
Tracking | Status | |
---|---|---|
firefox106 | --- | fixed |
People
(Reporter: robwu, Assigned: robwu)
References
(Blocks 2 open bugs)
Details
(Whiteboard: [addons-jira])
Attachments
(1 file)
The base extension CSP contains "localhost". That does not make sense, as the goal of MV3 is to reject remote code execution in a privileged context.
It looks like we added localhost in bug 1594234:
- new: https://hg.mozilla.org/mozilla-central/rev/76491eab6179a27905998c7e48ef467c5299ae5d#l4.13
- old: https://hg.mozilla.org/mozilla-central/rev/76491eab6179a27905998c7e48ef467c5299ae5d#l3.13
Note that while the bug's intent is to make the CSP stricter, the patch actually allows http://localhost
to be referenced even when it was not supported before.
I believe that this was a mistake, derived from Chrome's documentation at https://developer.chrome.com/docs/extensions/mv3/intro/mv3-migration/, which currently states
In addition, Manifest V3 disallows certain CSP modifications for extension_pages that were permitted in Manifest V2. The script-src, object-src, and worker-src directives may only have the following values:
- self
- none
- Any localhost source, (http://localhost, http://127.0.0.1, or any port on those domains)
That in its turn is likely a mistake from a Chrome engineer who implemented the CSP in MV3: Search for IsLocalHostSource
in https://chromium.googlesource.com/chromium/src.git/+/11c67e5998f4dbb2d04b3e149c83e3f585846f2a%5E%21/. There are three occurrences:
- The
IsLocalHostSource
helper that allowshttp://localhost
andhttp://127.0.0.1
- The original MV2 CSP validation logic, that used to allow a whole bunch of sources.
- The new MV3 CSP validation logic that allows
'self'
,'none'
and localhost.
What I suspect to have happened is that whoever who implemented it looked at the MV2 implementation, and removed items that are considered remote/insecure, but mistakenly classified localhost as local/secure.
Despite that validation implementation, localhost can still not be loaded as a script in practice, because their base CSP (they call it "minimum CSP") does not contain localhost, only 'self'
and 'unsafe-wasm-eval'
:
So in conclusion, I recommend to remove localhost from our base CSP.
With that, we can also reject http(s) script loads in extensions, even at the process level (e.g. like what CheckAllowLoadInSystemPrivilegedContext
does for the system principal).
Assignee | ||
Comment 1•2 years ago
|
||
Updated•2 years ago
|
Updated•2 years ago
|
Pushed by rob@robwu.nl: https://hg.mozilla.org/integration/autoland/rev/9bee44dbde20 Remove localhost from MV3 CSP r=mixedpuppy
Comment 3•2 years ago
|
||
bugherder |
Assignee | ||
Comment 4•2 years ago
|
||
(In reply to Rob Wu [:robwu] from comment #0)
So in conclusion, I recommend to remove localhost from our base CSP.
With that, we can also reject http(s) script loads in extensions, even at the process level (e.g. like whatCheckAllowLoadInSystemPrivilegedContext
does for the system principal).
I found bug 1767798 where this is tracked.
Description
•