Closed Bug 536606 Opened 13 years ago Closed 11 years ago

Trunk now rejects cross-domain CSS loads with improper MIME type, even in quirks mode


(Tech Evangelism Graveyard :: English US, defect)

Not set


(Not tracked)



(Reporter: zwol, Unassigned)



To fix security bug 524223 (embargoed until Dec 28, but I think it would be okay to share details with affected sites - cevans, please confirm) we've landed a change on mozilla-central that tightens up the rules for cross-domain CSS loads.  Previously, we would load any URL as a style sheet for a quirks mode document, regardless of its server-specified MIME type.  Now, if the style sheet is not same-origin with the requesting document, it must be served as text/css or with no MIME type at all (just as for standards mode documents).  We intend to backport this change to 3.6 and possibly also 3.5 as soon as site compatibility is addressed.

Chris Evans from Google has provided us with a list of sites known to be affected; probably the most prominent is configure(.XX)  They should be straightforward for the site owners to fix.  We need to contact them and request fixes.

Note that some of these sites are NSFW.
Yes, please share details with whomever you think might find them useful.

There may be other affected sites; the above list is mined out of 500,000 of the top most popular URLs.

Some of these sites may not be directly at fault; I think one or two of the sites just happened to use a busted ad network. The best test is if somehow you can view the site with and without the security fix -- and see if these is obvious breakage.
Group: core-security
Duplicate of this bug: 549172
David Lin-Shung Huang and Collin Jackson (of CMU) are working on a paper about this vulnerability, and David has kindly volunteered to do the evangelism.
Assignee: english-us → linshunghuang
As I was testing yesterday, I found that have already fixed their backend css.aspx (e.g. ) to serve text/css MIME type.
FYI, a patch for this issue has *finally* hit 3.6 (not for .4, but for .5) - this implements the laxer policy, where a cross-domain load is honored even with the wrong MIME type, but only if the first construct in the file is syntactically valid CSS.  This will also go into as soon as I get the thumbs-up from the release managers.
I should update the list, since plenty of sites (luckily the prominent ones) have already fixed their CSS content types. Some links that are unreachable, redirected to landing page, or mis-configured CSS is now same-origin, are also removed from the list.

The remaining 8 unfixed sites are as follows (along with the affected CSS links):

1. (text/html) (text/html) 
2. (application/octet-stream) 
3. (text/html) 
4. (application/css) (application/css) 
5. (text/html) (text/html) 
6. (text/plain) 
7. (text/html) 
8. (application/octet-stream)
Assignee: linshunghuang → english-us
I don't think it's useful to leave this bug open any longer.  The policy change is no longer novel and has been adopted by all major browsers, including fully-patched-up copies of all versions of IE back to v6, so if these sites haven't been fixed by now, they're probably not gonna bother.
Closed: 11 years ago
Resolution: --- → INCOMPLETE
Product: Tech Evangelism → Tech Evangelism Graveyard
You need to log in before you can comment on or make changes to this bug.