1940273 - Assert that all windows/dialogs have a CSP

Status: RESOLVED FIXED

(Core :: DOM: Security, task)

Description

[Tom Schuster]

We already assert that about: pages have a CSP (See nsContentSecurityUtils::AssertAboutPageHasCSP) we should do something similar for windows/dialogs.

Comment 1

[Tom Schuster]

Attachment: Bug 1940273 - Assert that all loaded chrome: documents have some CSP. r?freddyb

Comment 2

[Tom Schuster]

I think I've found all or most chrome documents without a CSP that are loaded during tests now.

Comment 3

[Tom Schuster]

Attachment: Bug 1940273 - Enforce a baseline default-src policy for chrome: pages. r?freddyb

Comment 4

[Pulsebot]

Pushed by tschuster@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/312c5cc5dc24
Assert that all loaded chrome: documents have some CSP. r=freddyb
https://hg.mozilla.org/integration/autoland/rev/f9e293e9ee57
Enforce a baseline default-src policy for chrome: pages. r=freddyb
https://hg.mozilla.org/integration/autoland/rev/9a6898e9f3a5
apply code formatting via Lando

Comment 5

[amarc]

Backed out for causing mass failures

• Backout link
• Push with failures
• Failure Log
• Failure log 2
• Failure log 3
• Failure log 4

Comment 6

[Pulsebot]

Pushed by tschuster@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/1f38e5f88eb8
Assert that all loaded chrome: documents have some CSP. r=freddyb
https://hg.mozilla.org/integration/autoland/rev/dbf2787916d6
Enforce a baseline default-src policy for chrome: pages. r=freddyb
https://hg.mozilla.org/integration/autoland/rev/76f3a9227fc6
apply code formatting via Lando

Comment 7

[Sandor Molnar[:smolnar]]

https://hg.mozilla.org/mozilla-central/rev/1f38e5f88eb8
https://hg.mozilla.org/mozilla-central/rev/dbf2787916d6
https://hg.mozilla.org/mozilla-central/rev/76f3a9227fc6

Comment 8

[Alessandro Castellani [:aleca]]

Could we have some guidance on how to properly port this to Thunderbird?
Our tests in our debug builds are borked https://treeherder.mozilla.org/jobs?repo=comm-central&revision=53ee78223fb053bd26e1b978b74010fe2f6f79aa&selectedTaskRun=OViVBivoQKKdIC77j0iYig.0

• Should we just add <meta http-equiv="Content-Security-Policy" content="default-src chrome:; object-src 'none'"/> to all our pages?
• Why some pages are allowed to not have a CSP? https://hg.mozilla.org/mozilla-central/rev/1f38e5f88eb8#l2.60
• Could you shed some light on why there's a static pref to disable CSP for browser.xhtml? https://searchfox.org/mozilla-central/source/modules/libpref/init/StaticPrefList.yaml#15890
• What's the reason behind having a build flags for the CSP only on browser but not other pages? https://searchfox.org/mozilla-central/source/browser/base/content/browser.xhtml#32-34

Any help or pointing to the right documentation is greatly appreciated.

Comment 9

[Alessandro Castellani [:aleca]]

Would it be possible to back this out.
This caused mass bustages and multiple test carshes to Thunderbird.

Comment 10

[Tom Schuster]

(In reply to Alessandro Castellani [:aleca] from comment #8)

Could we have some guidance on how to properly port this to Thunderbird?
Our tests in our debug builds are borked https://treeherder.mozilla.org/jobs?repo=comm-central&revision=53ee78223fb053bd26e1b978b74010fe2f6f79aa&selectedTaskRun=OViVBivoQKKdIC77j0iYig.0

• Should we just add <meta http-equiv="Content-Security-Policy" content="default-src chrome:; object-src 'none'"/> to all our pages?

That would be great, because this is a very secure CSP. Do note that in bug 1946040, I am asserting that all pages that have CSP, have a CSP that is relatively secure. e.g. script-src 'unsafe-inline' is absolutely forbidden.

• Why some pages are allowed to not have a CSP? https://hg.mozilla.org/mozilla-central/rev/1f38e5f88eb8#l2.60

This is just a temporary measure before we can add a CSP to them. This way, at least, no one introduces new pages without CSPs.

• Could you shed some light on why there's a static pref to disable CSP for browser.xhtml? https://searchfox.org/mozilla-central/source/modules/libpref/init/StaticPrefList.yaml#15890

browser.xhtml is a special case, because breaking it could break most of the browser UI. So for the worst case we have a way of disabling it. It's also useful to people modifying Firefox, but the pref is meant to be temporary of course.

• What's the reason behind having a build flags for the CSP only on browser but not other pages? https://searchfox.org/mozilla-central/source/browser/base/content/browser.xhtml#32-34

See above. We wanted to be able to do a slower rollout of the CSP for browser.xhtml

Any help or pointing to the right documentation is greatly appreciated.

See e.g. this firefox-dev post.

If you don't care about CSPs in Thunderbird you could add "chrome://mail/" to sAllowedChromePagesWithNoCSP.