1905080 - CSP directive `object-src 'none'` doesn't block an `<object>`

Status: NEW

(Core :: DOM: Security, defect, P4)

Description

[Mirko Brodesser (:mbrodesser-Igalia), offline until 10th of Feb]

https://searchfox.org/mozilla-central/rev/56dd89bcf4d3b85f66621e89eac6e2936ad382d9/testing/web-platform/tests/content-security-policy/object-src/object-src-no-url-blocked.html#5

Minimized example: https://jsfiddle.net/gunq163x/1/

Blocks https://bugzilla.mozilla.org/show_bug.cgi?id=1901510 because https://searchfox.org/mozilla-central/rev/56dd89bcf4d3b85f66621e89eac6e2936ad382d9/testing/web-platform/tests/trusted-types/trusted-types-reporting.html#86-95,103,105 doesn't throw at document.body.appendChild(o);.

Comment 1

[Olli Pettay [:smaug][bugs@pettay.fi]]

So this blocks making that test pass, but doesn't block the implementation of trusted types itself.

Comment 2

[Daniel Veditz [:dveditz]]

Did the definition of "object-src" change on us? There is no URL being loaded by the object tag in either the jsfiddle or the platform test so what is there to block?

Comment 3

[Mirko Brodesser (:mbrodesser-Igalia), offline until 10th of Feb]

(In reply to Daniel Veditz [:dveditz] from comment #2)

Did the definition of "object-src" change on us?

Presumably it didn't change recently, but it shouldn't matter, see below.

There is no URL being loaded by the object tag in either the jsfiddle or the platform test so what is there to block?

https://w3c.github.io/webappsec-csp/#directive-object-src contains

"If plugin content is loaded without an associated URL (perhaps an object element lacks a data attribute, but loads some default plugin based on the specified type), it MUST be blocked if object-src’s value is 'none', but will otherwise be allowed."

So loading a default plugin corresponding to the object's type should be blocked. It seems unspecified, which types lead to loading a default plugin.

Comment 4

[Frederik Braun [:freddy]]

I wonder if this happened as part of bug 1801664. At the same time, I am not seeing a security issue. This is purely a difference in reporting, isn't it?

Comment 5

[Tom Schuster]

Agreed. I looked at this test failure while triaging all our CSP failures on WPT and it didn't and still doesn't look like a security issue to me.

Comment 6

[Mirko Brodesser (:mbrodesser-Igalia), offline until 10th of Feb]

Removing the dependency to https://bugzilla.mozilla.org/show_bug.cgi?id=1901510 since the test is changed in https://phabricator.services.mozilla.com/D215363.

Comment 7

[Mirko Brodesser (:mbrodesser-Igalia), offline until 10th of Feb]

(In reply to Frederik Braun [:freddy] from comment #4)

I wonder if this happened as part of bug 1801664. At the same time, I am not seeing a security issue. This is purely a difference in reporting, isn't it?

Maybe. To be certain, further analysis/debugging would be required.

Comment 8

[BugBot [:suhaib / :marco/ :calixte]]

The severity field is not set for this bug.
:freddy, could you have a look please?

For more information, please visit BugBot documentation.