Closed Bug 1948889 Opened 1 month ago Closed 25 days ago

Change SRI message to take referrer url for warnings in a thread-safe way.

Categories

(Core :: DOM: Security, defect, P2)

Product:
Core
Component:
DOM: Security
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
137 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- wontfix
firefox-esr128 --- wontfix
firefox135 --- wontfix
firefox136 --- wontfix
firefox137 --- fixed

People

(Reporter: emilio, Assigned: freddy)

References

(Regression)

Details

(Keywords: regression, Whiteboard: [domsecurity-active])

Attachments

(1 file)

Bug 1948889 - Simplify SRICheck by getting location from http referrer info. r=freddyb
48 bytes, text/x-phabricator-request
Details | Review

https://searchfox.org/mozilla-central/rev/a80b3969c6d78ac5ba2552a5bce5e5c7a74f3a9b/dom/script/ScriptLoader.cpp#932 (and similar code in the fetch driver / sheet loader / etc) uses the doc URI for SRI warnings.

That feels wrong? I guess the idea is that you can only specify SRI via attributes? But still wouldn't it be more helpful to point to the subresource URI that's actually failing to validate?

Oh, good catch. Looks like this got regressed by bug 1839316.

However, I can not come up with a test case that verifies this being wrong.

I have already looked at

  • https://www.srihash.org/
  • wpt in subresource-integrity/subresource-integrity.html
  • wpt in content-security-policy/unsafe-hashes
    ... and I could not get to any error condition that reports the wrong URL.
Assignee: nobody → fbraun
Severity: -- → S3
Keywords: regression
Priority: -- → P2
Regressed by: 1839316

Ah, I was writing a patch :)

(In reply to Frederik Braun [:freddy] from comment #1)

Oh, good catch. Looks like this got regressed by bug 1839316.

However, I can not come up with a test case that verifies this being wrong.

I mean it only affects console messages, so no WPT impact.

With my patch, devtools points to must-fail.css rather than srihash.org in the console.

Whiteboard: [domsecurity-active]
Blocks: 1948887

Oh, now I get it. This is about the logged URL at the right side of the devtools console. Not as part of the message text.
Before the patch, the message logged that the error is at the HTML file which includes the hashed resources. With your patch it is now logging the URL of the file that was meant to be included.

We can't really tell if the provided hash was wrong or if the response was wrong. I'd slightly lean that most cases have a wrong hash in the URL rather than an unexpected resource showing up. But 's really just... a choice? I am OK with either.

Tom has done most of the recent SRI work so I'd like him to weigh in.

Flags: needinfo?(tschuster)

In bug 1938307 I added an explicit reference in the error message to the SRI using resource URL that failed to load. To me this makes more sens than changing the source location. The SRI is actually not an intrinsic part of the requested resource, but is actually defined by the place (source) requesting the resource.

Flags: needinfo?(tschuster)

I think I want to stick with what I was leaning to.

The log message already contains failing resource URL and the computed hash in the message. I believe the source URL should point to whatever closest match we have for what was requesting the incorrect message. I think it's perfect.

But the source url (right bit in the console) should continue point to the document URL as a "source URL".
If we can provide more info (like the exact source line in HTML / JS), we should ideally point to that.

@emilio: I think we should wontfix this bug. Does that reasoning make sense? Anything we overloked?

I guess we could explicitly include the resource URI in all error messages that don't have it yet?

Ok, I think it's a bit weird, but let's repurpose this to take the referrer url from the channel, since I need that to make the stylesheet SRI stuff work off the main thread.

Summary: SRI uses weird URIs for console warnings → Change SRI message to take referrer url for warnings in a thread-safe way.
Attachment #9466840 - Attachment description: Bug 1948889 - Use subresource uri for SRI warnings. r=freddyb → Bug 1948889 - Simplify SRICheck by getting location from http referrer info. r=freddyb

As this is a regression, I am setting release status for affected releases. However, given this only affects devtools I am quite happy with only fixing this in Nightly.

status-firefox135: --- → wontfix
status-firefox136: --- → wontfix
status-firefox137: --- → affected
status-firefox-esr115: --- → wontfix
status-firefox-esr128: --- → wontfix
Pushed by ealvarez@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/3e461094881c Simplify SRICheck by getting location from http referrer info. r=freddyb,tschuster

https://hg.mozilla.org/mozilla-central/rev/3e461094881c
https://hg.mozilla.org/mozilla-central/rev/bb800db4ae96

Status: NEW → RESOLVED
Closed: 25 days ago
status-firefox137: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 137 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: