Closed
Bug 1971719
(CVE-2025-8031)
Opened 7 months ago
Closed 7 months ago
Strip username:password from URL in CSP reports
Categories
(Core :: DOM: Security, defect)
Core
DOM: Security
Tracking
()
People
(Reporter: tschuster, Assigned: tschuster)
References
(Blocks 1 open bug, )
Details
(Keywords: sec-moderate, Whiteboard: [adv-main141+][adv-ESR140.1+][adv-ESR128.13+], [wptsync upstream])
Attachments
(5 files, 2 obsolete files)
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
pascalc
:
approval-mozilla-esr140+
|
Details | Review |
|
48 bytes,
text/x-phabricator-request
|
pascalc
:
approval-mozilla-esr115-
pascalc
:
approval-mozilla-esr128+
|
Details | Review |
|
204 bytes,
text/plain
|
Details |
Our current implementation of 5.4. Strip URL for use in reports does not follow the specification.
- We don't strip username and password from the URL.
- We seem to allow ws: and wss: schemes. I don't find that too troubling, considering that http:/https: is allowed by the specification. We should look into what other browsers do and maybe upstream this.
- We strip down cross-origin URLs to the "pre-path" for frame-src/object-src directives. We should probably look into upstreaming this into specification, as it as important protection against cross-origin leaks.
|
Assignee | |
Updated•7 months ago
|
See Also: → CVE-2025-8038, CVE-2023-25728
|
|
Assignee | |
Updated•7 months ago
|
Assignee: nobody → tschuster
|
|
Assignee | |
Comment 1•7 months ago
|
||
I've filed a spec issue here: https://github.com/w3c/webappsec-csp/issues/735. I guess this makes it a bit more likely that someone will notice this bug in our implementation, but it wasn't really avoidable because there were some proposed changes to URI stripping just a few hours ago: https://github.com/w3c/webappsec-csp/pull/734.
|
|
Assignee | |
Updated•7 months ago
|
See Also: → https://github.com/w3c/webappsec-csp/issues/735
|
|
Assignee | |
Comment 2•7 months ago
|
||
|
||
Updated•7 months ago
|
Attachment #9494574 -
Attachment description: WIP: Bug 1971719 - Align more closely with the CSP specification for #strip-url-for-use-in-reports. → Bug 1971719 - Align more closely with the CSP specification for #strip-url-for-use-in-reports. r?freddyb
|
|
Assignee | |
Comment 3•7 months ago
|
||
|
|
Assignee | |
Comment 4•7 months ago
|
||
I think this might qualify as sec-high like bug 1790345, because we don't strip the username:password from cross-origin URLs.
|
|
Assignee | |
Updated•7 months ago
|
status-firefox139:
--- → affected
status-firefox140:
--- → affected
status-firefox141:
--- → affected
status-firefox-esr115:
--- → affected
status-firefox-esr128:
--- → affected
|
||
Comment 5•7 months ago
|
||
While stealing credentials via CSP reports might be really disastrous., this requires atypical user behavior (phishing) and site configurations (basic authentication)
Keywords: sec-moderate
Pushed by smolnar@mozilla.com:
https://github.com/mozilla-firefox/firefox/commit/bdbe580b6431
https://hg.mozilla.org/mozilla-central/rev/59d0086ac0d6
Align more closely with the CSP specification for #strip-url-for-use-in-reports. r=freddyb
|
||
Comment 7•7 months ago
|
||
Group: dom-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 7 months ago
status-firefox-esr140:
--- → affected
tracking-firefox141:
--- → +
tracking-firefox-esr115:
--- → 141+
tracking-firefox-esr128:
--- → 141+
tracking-firefox-esr140:
--- → 141+
Resolution: --- → FIXED
Target Milestone: --- → 141 Branch
|
|
Assignee | |
Comment 8•7 months ago
|
||
Any strong reason for marking 140 was wontfix? I would have probably considered uplifting this.
Flags: needinfo?(dmednikov)
|
|
Assignee | |
Updated•7 months ago
|
Flags: needinfo?(dmednikov)
|
|
||
Comment 9•7 months ago
|
||
(In reply to Tom Schuster (MoCo) from comment #8)
Any strong reason for marking 140 was wontfix? I would have probably considered uplifting this.
Fx140 is now in release. This is not a suitable candidate for a dot release since it also impacts ESRs.
Tom, please add ESR128 and ESR140 uplift requests when you have a moment.
tracking-firefox-esr115:
141+ → ---
Flags: needinfo?(tschuster)
|
|
Assignee | |
Comment 10•7 months ago
|
||
Comment on attachment 9494574 [details]
Bug 1971719 - Align more closely with the CSP specification for #strip-url-for-use-in-reports. r?freddyb
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: Leaking HTTP auth username/password from cross-origin iframes.
- User impact if declined: Stolen credentials
- Fix Landed on Version: 141
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): This only changes the reporting of CSP errors, which isn't critical. There are tests.
Flags: needinfo?(tschuster)
Attachment #9494574 -
Flags: approval-mozilla-esr140?
Attachment #9494574 -
Flags: approval-mozilla-esr128?
|
||
Comment 11•6 months ago
|
||
Tom, the patch does not apply cleanly to the ESR branches, could you provide ESR partches? Also, do we want to also fix ESR115? Thanks
Flags: needinfo?(tschuster)
|
|
Assignee | |
Updated•6 months ago
|
Flags: needinfo?(tschuster)
Attachment #9494574 -
Flags: approval-mozilla-esr140?
Attachment #9494574 -
Flags: approval-mozilla-esr128?
|
|
Assignee | |
Comment 12•6 months ago
|
||
|
|
||
Updated•6 months ago
|
Attachment #9498830 -
Flags: approval-mozilla-esr140?
|
|
Assignee | |
Comment 13•6 months ago
|
||
|
|
||
Updated•6 months ago
|
Attachment #9498831 -
Flags: approval-mozilla-esr128?
|
|
Assignee | |
Updated•6 months ago
|
Attachment #9498831 -
Flags: approval-mozilla-esr115?
|
||
Updated•6 months ago
|
|
||
Updated•6 months ago
|
QA Whiteboard: [sec] [qa-triage-done-c142/b141]
Flags: qe-verify-
|
|
||
Updated•6 months ago
|
Attachment #9498831 -
Flags: approval-mozilla-esr115? → approval-mozilla-esr115-
|
||
Comment 14•6 months ago
|
||
| uplift | ||
|
|
||
Comment 15•6 months ago
|
||
| uplift | ||
|
|
||
Updated•6 months ago
|
|
|
||
Updated•6 months ago
|
Attachment #9498831 -
Flags: approval-mozilla-esr128? → approval-mozilla-esr128+
|
|
||
Updated•6 months ago
|
Attachment #9498830 -
Flags: approval-mozilla-esr140? → approval-mozilla-esr140+
|
||
Updated•6 months ago
|
Whiteboard: [adv-main141+]
|
|
||
Updated•6 months ago
|
Whiteboard: [adv-main141+] → [adv-main141+][adv-ESR128.13+]
|
|
||
Updated•6 months ago
|
Whiteboard: [adv-main141+][adv-ESR128.13+] → [adv-main141+][adv-ESR140.1+][adv-ESR128.13+]
|
|
||
Comment 16•6 months ago
|
||
|
|
||
Comment 17•6 months ago
|
||
Attachment #9500534 -
Attachment is obsolete: true
|
|
||
Comment 18•6 months ago
|
||
Attachment #9500657 -
Attachment is obsolete: true
|
|
||
Updated•6 months ago
|
Alias: CVE-2025-8031
|
|
Assignee | |
Updated•4 months ago
|
Group: core-security-release
|
|
||
Comment 19•4 months ago
|
||
Pushed by tschuster@mozilla.com:
https://github.com/mozilla-firefox/firefox/commit/6d5653f597bb
https://hg.mozilla.org/integration/autoland/rev/ad0bd6ddde3e
WPT for CSP report username and password stripping. r=freddyb
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/54499 for changes under testing/web-platform/tests
Whiteboard: [adv-main141+][adv-ESR140.1+][adv-ESR128.13+] → [adv-main141+][adv-ESR140.1+][adv-ESR128.13+], [wptsync upstream]
|
||
Comment 21•4 months ago
|
||
| bugherder | ||
Upstream PR merged by moz-wptsync-bot
You need to log in
before you can comment on or make changes to this bug.
Description
•