Developer tools leak CSP violations through DNS prefetching (links in devtools should have DNS prefetching disabled)
Categories
(DevTools :: General, defect, P2)
Tracking
(firefox-esr115 wontfix, firefox126 wontfix, firefox127 wontfix, firefox128 fixed)
People
(Reporter: ymarchand, Assigned: jdescottes)
References
(Regressed 1 open bug)
Details
(4 keywords, Whiteboard: [reporter-external] [client-bounty-form] [verif?][adv-main128+])
Attachments
(3 files)
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:122.0) Gecko/20100101 Firefox/122.0
Steps to reproduce:
- Set up a DNS name server
- In the attached HTML file, update "example.org" to point to your DNS server
- Visit the attached HTML file
Actual result:
- A DNS request is sent out when the CSP violation is generated, leaking the violation
Expected result:
- No DNS prefetching in developer tools
Summary:
By default, <a> tags are prefetched upon loading into the DOM, this includes the developer tools. Upon a CSP violation a link is generated in the console tab of the developer tools, pointing to the violating resource. This causes a DNS prefetch, leaking that a CSP violation has happened. This can be used to bypass the "default-src none" directive in case of a CSS injection, as can be seen in the attached POC. It should be noted that we were only able to exploit this in a browser where the developer tools were open.
In addition to the user agent above, we also confirmed this vulnerability on a Windows machine.
This issue was found during DiceCTF by Aidan Stephenson & Yannik Marchand.
|
||
Comment 2•2 years ago
|
||
Thanks for the report. I haven't tried to repro (not a devtools expert, can't easily set up a DNS server, and it's 10pm here), but the report makes sense to me, so just going to try to pass this to the right people to investigate further.
Moving to devtools, but Valentin, who from networking would be good to chat to here? I guess devtools could update all their individual markup but that's pretty error-prone. A browsingcontext/docshell level change would be a more systemic solution. Do we already have a flag of that sort?
Maybe it would be worth disabling DNS prefetching for the developer tools entirely? Given that only a small percentage of users will be interacting with these tools (and those that do will likely be developing their own website, meaning its likely already in the DNS cache) it seems worth the possible performance hit.
|
|
||
Comment 4•2 years ago
|
||
(In reply to aidands from comment #3)
Maybe it would be worth disabling DNS prefetching for the developer tools entirely? Given that only a small percentage of users will be interacting with these tools (and those that do will likely be developing their own website, meaning its likely already in the DNS cache) it seems worth the possible performance hit.
Right, that is effectively what I asked in comment 2. I'm not sure if we have primitives for this at the moment (we may do, I just don't know off-hand). There's an HTTP header (X-DNS-Prefetch-Control) but the devtools' own html pages are not using HTTP channels. If one doesn't exist we can create one, but that may require people other than the devtools team to help. :-)
|
||
Comment 5•2 years ago
|
||
Tom, Freddy: interesting CSP edge case. Does a page's CSP apply to DevTools?
|
||
Comment 6•2 years ago
|
||
HTMLDocument chrome://devtools/content/webconsole/index.html
temp3.csp.policyCount // 0
We could either try setting Document::mAllowDNSPrefetch to false for the devtools document, or better yet change the following code to return false if the document's nodePrincipal is the SystemPrincipal. I think this would be good to do anyway.
bool HTMLDNSPrefetch::IsAllowed(Document* aDocument) {
// There is no need to do prefetch on non UI scenarios such as XMLHttpRequest.
return aDocument->IsDNSPrefetchAllowed() && aDocument->GetWindow();
}
|
||
Comment 7•2 years ago
|
||
CSP is supposed to have a mechanism for blocking preconnect/preload/prefetch called "resource hints". I have been on-and-off working on this a bit when I have some time in bug 1457204. However currently the specification for this is broken: https://github.com/w3c/webappsec-csp/issues/633.
|
||
Updated•2 years ago
|
|
Assignee | |
Updated•2 years ago
|
|
|
Assignee | |
Comment 8•2 years ago
|
||
|
||
Updated•2 years ago
|
|
|
Assignee | |
Comment 9•2 years ago
|
||
Thanks for the suggestion and review Valentin!
Daniel: are we okay with landing the current patch as is, since it's sec-low?
|
||
Comment 11•2 years ago
|
||
|
||
Comment 12•2 years ago
|
||
|
||
Updated•2 years ago
|
|
||
Comment 13•2 years ago
|
||
The patch landed in nightly and beta is affected.
:jdescottes, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox127towontfix.
For more information, please visit BugBot documentation.
|
|
Assignee | |
Comment 14•2 years ago
|
||
Considering that we could not write a test for it, I think it's safer to let this ride the trains.
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
|
||
Comment 15•1 year ago
|
||
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
Description
•