Closed Bug 1819006 Opened 1 year ago Closed 1 year ago

CSP Host-src blocked due to missing scheme in about:srcdoc

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Version:
Firefox 110
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1819096

People

(Reporter: peter.arts+bugzilla, Unassigned)

References

(Regression)

Details

(Keywords: regression)

Steps to reproduce:

  1. Go to https://public-library.safetyculture.io/
  2. Observe a large volume of CSP violations for script-src cdn.kustomerapp.com and connect-src support-safetyculture.api.kustomerapp.com while both these sources are allowed per the CSP policy of that website.

Actual results:

We see a massive increase in CSP violation reports since the release of Firefox version 110, likely as the result of a fix for bug 1790345. This caused Firefox to incorrectly interpret or deal with a Content-Security-Report-Only header as the violated sources are permitted as per policy. This exclusively happens in Firefox since version 110 on both Windows and Mac desktops. This happens on multiple of our websites and apps while we have not deployed any changes to these and other browsers don't have this issue either.

Expected results:

When visiting the website above (I can share more URLs where it also happens), Firefox should not report CSP violations for script-src cdn.kustomerapp.com and connect-src support-safetyculture.api.kustomerapp.com. On other websites, additional sources are blocked and it seems to be related to including the Kustomer chat SDK.

I will try to reproduce it locally in the meantime and share further details when they are available.

To reproduce, host the HTML file below and make sure that the HTTP response header includes the following header:

Content-Security-Policy-Report-Only: base-uri 'self'; connect-src 'self' *.pndsn.com support-safetyculture.api.kustomerapp.com; default-src 'self'; font-src 'self' cdn.kustomerapp.com data:; form-action https:; frame-src 'self' cdn.kustomerapp.com; img-src 'self' *; manifest-src 'self'; media-src 'self'; object-src 'none'; script-src 'report-sample' 'self' cdn.kustomerapp.com; style-src 'report-sample' 'self' 'unsafe-inline'; worker-src 'none'; report-uri /csp-report;

You can run the following Python script in the same directory as the HTML file below to host it if necessary:

#!/usr/bin/env python
try:
    from http import server # Python 3
except ImportError:
    import SimpleHTTPServer as server # Python 2

class MyHTTPRequestHandler(server.SimpleHTTPRequestHandler):
    def end_headers(self):
        self.send_my_headers()

        server.SimpleHTTPRequestHandler.end_headers(self)

    def send_my_headers(self):
        self.send_header("Content-Security-Policy-Report-Only", "base-uri 'self'; connect-src 'self' *.pndsn.com support-safetyculture.api.kustomerapp.com; default-src 'self'; font-src 'self' cdn.kustomerapp.com data:; form-action https:; frame-src 'self' cdn.kustomerapp.com; img-src 'self' *; manifest-src 'self'; media-src 'self'; object-src 'none'; script-src 'report-sample' 'self' cdn.kustomerapp.com; style-src 'report-sample' 'self' 'unsafe-inline'; worker-src 'none'; report-uri /csp-report;")


if __name__ == '__main__':
    server.test(HandlerClass=MyHTTPRequestHandler)

The following HTML file triggers the incorrect CSP violations. The script included from https://cdn.kustomerapp.com/chat-web/widget.js (permitted script-src) creates an iframe that in turn loads a few additional scripts from https://cdn.kustomerapp.com/chat-web/... (again, permitted script-src) but that is causing a CSP violation in Firefox 110 (incorrect), while that was not the case in previous versions or other browsers.

Then, many violations are reported for connect-src https://support-safetyculture.api.kustomerapp.com while that is also permitted as per CSP.

To trigger the violations, open the browser console, then scroll down a little bit until the violations appear. Please note that the HTML file requires a kustomer-api-key that I cannot include in this report. To obtain it, please go to https://public-library.safetyculture.io/assets/js/app.min.njwZ9kj6sP3zcGVx.js and search for data-kustomer-api-key. Replace PASTE_KEY_HERE_SEE_NOTES below with the key.

<html>
<head>
<title>CSP report-only bug in Mozilla Firefox 110 PoC</title>
</head>
<body>
testing<br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br>testing

<script>
document.addEventListener('scroll', function(e) {
  if (!document.getElementById('kustomer-ui-sdk-iframe') && window.scrollY > 150) {
    loadKustomer();
  }
});

/**
 * Load Kustomer
 */
function loadKustomer() {
  let script = document.createElement('script');
  script.src = 'https://cdn.kustomerapp.com/chat-web/widget.js';
  script.setAttribute(
    'data-kustomer-api-key',
    'PASTE_KEY_HERE_SEE_NOTES',
  );
  window.document.body.appendChild(script);
}

/**
 * Start Kustomer
 */
window.addEventListener('kustomerLoaded', function() {
  Kustomer.start({}, function() {
    Kustomer.addListener('onConversationCreate', function(res) {
      Kustomer.describeConversation({
        conversationId: res.conversationId,
        customAttributes: {
          chatUrlStr: document.location.hostname + document.location.pathname,
        },
      });
    });
  });
});
</script>    
</body>
</html>

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Security' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → DOM: Security
Product: Firefox → Core
Flags: needinfo?(tschuster)

When running the above in blocking mode by setting the header name to Content-Security-Policy instead of Content-Security-Policy-Report-Only and adding a nonce to the inline script (change <script> to <script nonce="testnonce"> and add 'nonce-testnonce' to the script-src directive), the first blocked source can be seen. Please refer to the CSP report sent by Firefox 110 below where you can see that cdn-kustomerapp.com is permitted in the script-src directive, but still blocked by CSP. Hope this helps and let me know if you need further details.

Unless I'm missing something (I know CSP can be tricky), I believe this bug affects a large number of users and site owners and probably breaks sites that have CSP in blocking mode.

{
    "csp-report":
    {
        "blocked-uri": "https://cdn.kustomerapp.com/chat-web/release-v0.1.344/core-main.ac55efbde97d5e251d5f.js",
        "disposition": "enforce",
        "document-uri": "about",
        "effective-directive": "script-src-elem",
        "original-policy": "base-uri 'self'; connect-src 'self' *.pndsn.com support-safetyculture.api.kustomerapp.com; default-src 'self'; font-src 'self' cdn.kustomerapp.com data:; form-action https:; frame-src 'self' cdn.kustomerapp.com; img-src 'self' *; manifest-src 'self'; media-src 'self'; object-src 'none'; script-src 'nonce-testnonce' 'report-sample' 'self' cdn.kustomerapp.com; style-src 'report-sample' 'self' 'unsafe-inline'; worker-src 'none'; report-uri http://example.com/csp-report",
        "referrer": "",
        "status-code": 0,
        "violated-directive": "script-src-elem"
    }
}
Flags: needinfo?(tschuster)
Summary: Fix for bug 1790345 caused CSP in report-only mode to malfunction (large number of false violations) → CSP Host-src blocked due to missing scheme in about:srcdoc

Thank you so much for providing this very detailed test case in comment 2. This is the same as bug 1803475.

The iframe created by kustomer uses an about:srcdoc URL and your CSP for connect-src doesn't specifiy a scheme for safetyculture.api.kustomerapp.com. So we we will try to match the scheme as about, which doesn't match https. You can fix this problem by explicitly specifying a scheme for your host sources.

Status: UNCONFIRMED → RESOLVED
Closed: 1 year ago
Duplicate of bug: 1803475
Resolution: --- → DUPLICATE
Keywords: regression
Regressed by: 1804145

Thank you Tom, I tried to identify if it was a dup. Firefox starting from version 110 is the only browser that behaves like this. Adding a scheme to all hosts inflates the length of our CSP headers quite a bit, as much as 38% for one application so that is the main reason we left these out. Many examples on https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP also omit the scheme so I'm surprised that there is currently no intention to fix this bug.

Is there anything that I can do to help getting this fixed? I'd prefer not to update all our policies just for this bug in the one browser although I need to find a solution as our reporting tool is bombarded with reports (up >1000% since last week as the result of this bug).

Thank you so much for reporting this to us! This affecting more websites than we anticipated - we have underestimated the impact our change would have.
We are releasing Firefox 110.0.1 today, which should revert our CSP behavior change and will make sure that we have better testing for our next iteration.

Thanks Frederik for fixing this so quickly! I can confirm that we no longer see this incorrect behaviour in the updated version. Thanks again!

Duplicate of bug: 1819096
No longer duplicate of bug: 1803475
You need to log in before you can comment on or make changes to this bug.