Open Bug 1804145 Opened 2 years ago Updated 15 days ago

Serialization of CSP (e.g. event.originalPolicy) prepends scheme to schemeless host-source expression

Categories

(Core :: DOM: Security, defect, P2)

defect

Tracking

()

ASSIGNED

People

(Reporter: robwu, Assigned: tschuster)

References

(Depends on 1 open bug, Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog])

Attachments

(1 file)

When a CSP violation report or event is triggered, I would expect the reported serialization to be an accurate (potentially normalized) representation of the input CSP. When a scheme-less host-source value is specified, the reported CSP violation surprisingly includes the scheme of the origin.

The spec for the serialization only defines the grammar of the serialization, not how it is serialized ( https://w3c.github.io/webappsec-csp/#serialized-csp ). However, as scheme-less host-source is a valid source, I would expect the serialization to omit the scheme if it was missing.

Side note: this serialization is the result of the chosen implementation, where the scheme used for host-source is precomputed, i.e. derived from the self URL, and used to implement the following part of the matching algorithm from https://w3c.github.io/webappsec-csp/#match-url-to-source-expression

3. If expression matches the host-source grammar:

  1. If url’s host is null, return "Does Not Match".
  2. If expression does not have a scheme-part, and origin’s scheme does not scheme-part match url’s scheme, return "Does Not Match".

For scheme-less host-source, the precomputed scheme is exposed by the serialization, because the scheme is exposed at https://searchfox.org/mozilla-central/rev/2ad13433da20a0749e1e9a10ec0ab49b987c2c8e/dom/security/nsCSPUtils.cpp#824-829 . Note that it unconditionally prepends scheme + "://", even if the scheme does not have a // after the colon (e.g. about: and data:-URLs should not have two slashes after the : part of the scheme).

STR:

  1. Visit data:text/html,<meta http-equiv=content-security-policy content="connect-src example.com"><script>document.onsecuritypolicyviolation =e=>{document.body.append(e.originalPolicy);console.log(e)};fetch("http://example.com")</script><body>CSP violations will be logged here:<br>

Expected:

  • connect-src example.com
  • (observed in Chrome 107, Safari 15.6.1)

Actual:

  • connect-src data://example.com
  • (observed in Firefox 109; this is not a regression)

This sounds like a similar kind of problem as bug 1803475 (where I suspect we're using the self URL rather than the self Origin for about:srcdoc)

See Also: → 1803475

Related but not similar. This bug is about the exposed serialization, which is a consequence of the chosen implementation. The other bug is about the incorrect self URL. A way for the other bug to somehow fix this bug is if the implementation changes to not store the scheme. But that is not necessarily the only way to fix the other bug.

I've looked through the code using toString and we mostly use it for errors and serialization. Because we serialize the selfURI anyway we should be able to remove the prefix.

Assignee: nobody → tschuster
Blocks: CSP

When you fix this bug, edit toolkit/components/extensions/test/xpcshell/test_ext_dnr_modifyHeaders.js and remove the two comments and http:// from the three lines containing the expected CSP, starting from https://hg.mozilla.org/mozilla-central/rev/7703f8e13f31#l2.653

Attachment #9307033 - Attachment description: WIP: Bug 1804145 - CSP: Don't serialize the generated scheme. → Bug 1804145 - CSP: Don't serialize the generated scheme. r?freddyb
Severity: -- → S2
Priority: -- → P2
Whiteboard: [domsecurity-active]
Pushed by tschuster@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/d0ed4d075e4d
CSP: Don't serialize the generated scheme. r=freddyb,extension-reviewers,robwu
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 110 Branch
Regressions: 1819006
Regressions: 1819096
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Target Milestone: 110 Branch → ---
Status: REOPENED → ASSIGNED

We found out that the scheme we synthesize for schemeless host sources needs to be based on the origin and not what we currently call mSelfURI. We want to implement that add some point but this bug doesn't have high enough priority to do that right now.

Duplicate of this bug: 1278353
Severity: S2 → S3
Depends on: 1899512

changing to backlog based on comment 11

Whiteboard: [domsecurity-active] → [domsecurity-backlog]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: