1909590 - CSP in meta tag can be bypassed to load files from cross-origin

Status: RESOLVED WORKSFORME

(Core :: DOM: Security, defect)

Description

User Agent: Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Mobile Safari/537.36

Steps to reproduce:

Use these code lines:

<meta
  http-equiv="Content-Security-Policy"
  content="default-src 'self'; img-src 'none'; child-src 'none';" />
  
<style>

body  {

  background-image: url("https://www.w3schools.com/css/paper.gif");

  background-color: #cccccc;

}

</style>

On Firefox 128 on Android.

The photo from cross-origin still appears in your website.

Actual results:

Use these code lines:

<meta
  http-equiv="Content-Security-Policy"
  content="default-src 'self'; img-src 'none'; child-src 'none';" />
  
<style>

body  {

  background-image: url("https://www.w3schools.com/css/paper.gif");

  background-color: #cccccc;

}

</style>

On Firefox 128 on Android.

The photo from cross-origin still appears in your website.

Expected results:

Following the CSP rules.

Comment 1

[Daniel Veditz [:dveditz]]

Attachment: testcase from comment 0

Comment 2

[Daniel Veditz [:dveditz]]

Like your similar bugs we can't reproduce this on either Desktop or Android. We think your testing machine is broken or hacked. Did you try creating a completely new profile or a different machine like we asked in the other bugs?

At least in this case the CSP is in a meta tag so we can rule out some kind of Proxy that strips headers.

The Style is not applied because your CSP does not have 'unsafe-inline'. If you fix that then the image is blocked. We have no clue why you are not seeing the same thing.

Comment 3

[Daniel Veditz [:dveditz]]

There is no longer a preference that disables CSP so I don't understand how your profile apparently does not process CSP at all, but it appears you do not have that feature somehow. We cannot reproduce this, and we haven't heard back that you have tried with a fresh profile or what your list of addons are.