Closed Bug 1953866 Opened 9 months ago Closed 8 months ago

Add a strict script-src CSP to browser.xhtml

Categories

(Core :: DOM: Security, task)

Product:
Core
Component:
DOM: Security
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
139 Branch
Tracking Flags:
Tracking Status
firefox139 --- fixed

People

(Reporter: tschuster, Assigned: tschuster)

References

(Blocks 1 open bug)

Details

Attachments

(2 files)

Bug 1953866 - Add a strict script-src CSP to browser.xhtml for Nightly/Beta. r?freddyb!,#firefox-desktop-core-reviewers!
48 bytes, text/x-phabricator-request
Details | Review
Bug 1953866 - Allow moz-src: by default in our CSPs for chrome:/resource: documents. r?freddyb
48 bytes, text/x-phabricator-request
Details | Review

We currently use the policy script-src-attr 'none' for browser.xhtml's CSP, we should upgrade this to script-src chrome: resource:. The most important aspect is that this would disallow inline scripts in addition to inline event handlers.

Depends on: 1954064
Depends on: 1954074

I think I am going to have to add 'unsafe-eval' to the allowed sources. We already block eval in the parent-process and system principals (bug 1582229). However we still have quite a lot of tests that depend on the pref security.allow_eval_with_system_principal to opt-out of the eval restriction. So instead of fixing all of these eval uses, I believe we can rely on that restriction instead.

Depends on: 1954448
Depends on: 1954471
Attachment #9473205 - Attachment description: WIP: Bug 1953866 - Add a strict script-src CSP to browser.xhtml for Nightly/Beta → Bug 1953866 - Add a strict script-src CSP to browser.xhtml for Nightly/Beta. r?freddyb!,#firefox-desktop-core-reviewers!

There are some unknown instances of eval that we never fully got rid of after https://bugzilla.mozilla.org/show_bug.cgi?id=1582229. We should definitely look at those, but maybe as a follow-up

It seems like the remaining eval uses don't happen in the context of browser.xhtml, so they don't block this work. We should still try to get rid of them of course.

Pushed by tschuster@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/ecbd70eba6bd Allow moz-src: by default in our CSPs for chrome:/resource: documents. r=simonf
Pushed by tschuster@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/59bf42331983 Add a strict script-src CSP to browser.xhtml for Nightly/Beta. r=freddyb,firefox-desktop-core-reviewers ,mossop

https://hg.mozilla.org/mozilla-central/rev/59bf42331983

Status: NEW → RESOLVED
Closed: 8 months ago
status-firefox139: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 139 Branch
QA Whiteboard: [qa-triage-done-c140/b139]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: