Serialization of CSP (e.g. event.originalPolicy) prepends scheme to schemeless host-source expression
Categories
(Core :: DOM: Security, defect, P2)
Tracking
()
People
(Reporter: robwu, Assigned: tschuster)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-active])
Attachments
(1 file)
When a CSP violation report or event is triggered, I would expect the reported serialization to be an accurate (potentially normalized) representation of the input CSP. When a scheme-less host-source value is specified, the reported CSP violation surprisingly includes the scheme of the origin.
The spec for the serialization only defines the grammar of the serialization, not how it is serialized ( https://w3c.github.io/webappsec-csp/#serialized-csp ). However, as scheme-less host-source is a valid source, I would expect the serialization to omit the scheme if it was missing.
Side note: this serialization is the result of the chosen implementation, where the scheme used for host-source is precomputed, i.e. derived from the self URL, and used to implement the following part of the matching algorithm from https://w3c.github.io/webappsec-csp/#match-url-to-source-expression
3. If expression matches the host-source grammar:
- If url’s host is null, return "Does Not Match".
- If expression does not have a scheme-part, and origin’s scheme does not scheme-part match url’s scheme, return "Does Not Match".
For scheme-less host-source
, the precomputed scheme
is exposed by the serialization, because the scheme is exposed at https://searchfox.org/mozilla-central/rev/2ad13433da20a0749e1e9a10ec0ab49b987c2c8e/dom/security/nsCSPUtils.cpp#824-829 . Note that it unconditionally prepends scheme
+ "://"
, even if the scheme does not have a //
after the colon (e.g. about:
and data:
-URLs should not have two slashes after the :
part of the scheme).
STR:
- Visit
data:text/html,<meta http-equiv=content-security-policy content="connect-src example.com"><script>document.onsecuritypolicyviolation =e=>{document.body.append(e.originalPolicy);console.log(e)};fetch("http://example.com")</script><body>CSP violations will be logged here:<br>
- alternative URL with same test case: https://jsfiddle.net/m80cp2y4/
Expected:
- connect-src example.com
- (observed in Chrome 107, Safari 15.6.1)
Actual:
- connect-src data://example.com
- (observed in Firefox 109; this is not a regression)
Comment 1•1 year ago
|
||
This sounds like a similar kind of problem as bug 1803475 (where I suspect we're using the self URL rather than the self Origin for about:srcdoc)
Reporter | ||
Comment 2•1 year ago
|
||
Related but not similar. This bug is about the exposed serialization, which is a consequence of the chosen implementation. The other bug is about the incorrect self URL. A way for the other bug to somehow fix this bug is if the implementation changes to not store the scheme. But that is not necessarily the only way to fix the other bug.
Assignee | ||
Comment 3•1 year ago
|
||
I've looked through the code using toString and we mostly use it for errors and serialization. Because we serialize the selfURI anyway we should be able to remove the prefix.
Assignee | ||
Comment 4•1 year ago
|
||
Reporter | ||
Comment 5•1 year ago
•
|
||
When you fix this bug, edit toolkit/components/extensions/test/xpcshell/test_ext_dnr_modifyHeaders.js
and remove the two comments and http://
from the three lines containing the expected CSP, starting from https://hg.mozilla.org/mozilla-central/rev/7703f8e13f31#l2.653
Updated•1 year ago
|
Updated•1 year ago
|
Pushed by tschuster@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/d0ed4d075e4d CSP: Don't serialize the generated scheme. r=freddyb,extension-reviewers,robwu
Comment 7•1 year ago
|
||
bugherder |
Comment 8•1 year ago
|
||
backout bugherder uplift |
Backed out 1 changesets (bug 1804145) for causing bug 1819096
https://hg.mozilla.org/releases/mozilla-release/rev/36ae3bdd6923
Updated•1 year ago
|
Comment 9•1 year ago
|
||
Backed out on nightly for causing Bug 1819096
Comment 10•1 year ago
|
||
Backed out on beta for causing Bug 1819096
https://hg.mozilla.org/releases/mozilla-beta/rev/eb4af1abbe69fe91a20cbb5bc559f3de8976d78a
Updated•1 year ago
|
Assignee | ||
Comment 11•1 year ago
|
||
We found out that the scheme we synthesize for schemeless host sources needs to be based on the origin and not what we currently call mSelfURI
. We want to implement that add some point but this bug doesn't have high enough priority to do that right now.
Updated•9 months ago
|
Description
•