536606 - Trunk now rejects cross-domain CSS loads with improper MIME type, even in quirks mode

Status: RESOLVED INCOMPLETE

(Tech Evangelism Graveyard :: English US, defect)

Description

[Zack Weinberg (:zwol)]

To fix security bug 524223 (embargoed until Dec 28, but I think it would be okay to share details with affected sites - cevans, please confirm) we've landed a change on mozilla-central that tightens up the rules for cross-domain CSS loads.  Previously, we would load any URL as a style sheet for a quirks mode document, regardless of its server-specified MIME type.  Now, if the style sheet is not same-origin with the requesting document, it must be served as text/css or with no MIME type at all (just as for standards mode documents).  We intend to backport this change to 3.6 and possibly also 3.5 as soon as site compatibility is addressed.

Chris Evans from Google has provided us with a list of sites known to be affected; probably the most prominent is configure(.XX).dell.com.  They should be straightforward for the site owners to fix.  We need to contact them and request fixes.

Note that some of these sites are NSFW.

http://ads.lfstmedia.com/
http://apps.facebook.com/
http://configure.dell.com/
http://configure.la.dell.com/
http://configure.us.dell.com/
http://date.bluesystem.ru/
http://forms.real.com/
http://forum.derwesten.de/
http://jplanner.travelinenortheast.info/
http://media.paran.com/
http://month.gismeteo.ru/
http://news.gismeteo.ru/
http://practiceexam.keys2drive.ca/
http://search.chl.it/
http://search.vampirefreaks.com/
http://story.bluesystem.org/
http://submit.123rf.com/
http://telefilmdb.blogspot.com/
http://www.aif.ru/
http://www.art.com/
http://www.baseball-reference.com/
http://www.edurang.net/
http://www.fantatornei.com/
http://www.google.es/ig/setp
http://www.homeportfolio.com/
http://www.pleshka.com/
http://www.smmail.cn/
http://info.smmail.cn/
http://www.tabelas.lancenet.com.br/
http://www.thongsdaily.com/
http://www.zootube365.com/
http://zootube365.com/

Comment 1

[Chris Evans]

Yes, please share details with whomever you think might find them useful.

There may be other affected sites; the above list is mined out of 500,000 of the top most popular URLs.

Some of these sites may not be directly at fault; I think one or two of the sites just happened to use a busted ad network. The best test is if somehow you can view the site with and without the security fix -- and see if these is obvious breakage.

Comment 3

[Zack Weinberg (:zwol)]

David Lin-Shung Huang and Collin Jackson (of CMU) are working on a paper about this vulnerability, and David has kindly volunteered to do the evangelism.

Comment 4

[David Lin-Shung Huang]

As I was testing yesterday, I found that dell.com have already fixed their backend css.aspx (e.g. http://configure-cdn.us.dell.com/Dellstore/public/css.aspx?c=us&l=en&~set=storm76MH ) to serve text/css MIME type.

Comment 5

[Zack Weinberg (:zwol)]

FYI, a patch for this issue has *finally* hit 3.6 (not for .4, but for .5) - this implements the laxer policy, where a cross-domain load is honored even with the wrong MIME type, but only if the first construct in the file is syntactically valid CSS.  This will also go into 3.5.next as soon as I get the thumbs-up from the release managers.

Comment 6

[David Lin-Shung Huang]

I should update the list, since plenty of sites (luckily the prominent ones) have already fixed their CSS content types. Some links that are unreachable, redirected to landing page, or mis-configured CSS is now same-origin, are also removed from the list.

The remaining 8 unfixed sites are as follows (along with the affected CSS links):

1. http://jplanner.travelinenortheast.info/jpclient.exe
http://www.travelinenortheast.info/jplanner/config.nsf/vstylesheets/styleprint (text/html) 
http://www.travelinenortheast.info/jplanner/config.nsf/vstylesheets/stylecontents (text/html) 
2. http://search.chl.it/search.aspx
http://www.chl.it/files/stylepartners.css (application/octet-stream) 
3. http://www.art.com/gallery/id--0/posters_p2.htm
http://www.art.com/ADC.NET/css/searchnotfound.css (text/html) 
4. http://www.edurang.net/uview/wrd/run/portal.show
http://www.edurang.net/enview-admin/css/dhtmlXTree.css (application/css) 
http://www.edurang.net/enview/decorations/layout/edurang_new/autumn/css/content.css (application/css) 
5. http://www.tabelas.lancenet.com.br/Default.aspx
http://www.lancenet.com.br/inc/capa.css (text/html) 
http://www.lancenet.com.br/mobile/style_cdweb.css (text/html) 
--NSFW--
6. http://www.pleshka.com/
http://pleshka.com/css/css (text/plain) 
7. http://www.thongsdaily.com/
http://pics.thongsdaily.com/css/thong-style.css?20070422 (text/html) 
8. http://zootube365.com/
http://92.61.240.22:8080/style/style.css (application/octet-stream)

Comment 7

[David Lin-Shung Huang]

Sorry, two of them are same-origin. The remaining 6 unfixed sites are as follows (along with the affected CSS links):

1. http://jplanner.travelinenortheast.info/jpclient.exe
http://www.travelinenortheast.info/jplanner/config.nsf/vstylesheets/styleprint (text/html) 
http://www.travelinenortheast.info/jplanner/config.nsf/vstylesheets/stylecontents (text/html) 
2. http://search.chl.it/search.aspx
http://www.chl.it/files/stylepartners.css (application/octet-stream) 
3. http://www.tabelas.lancenet.com.br/Default.aspx
http://www.lancenet.com.br/inc/capa.css (text/html) 
http://www.lancenet.com.br/mobile/style_cdweb.css (text/html) 
--NSFW--
4. http://www.pleshka.com/
http://pleshka.com/css/css (text/plain) 
5. http://www.thongsdaily.com/
http://pics.thongsdaily.com/css/thong-style.css?20070422 (text/html) 
6. http://zootube365.com/
http://92.61.240.22:8080/style/style.css (application/octet-stream)

Comment 8

[Zack Weinberg (:zwol)]

I don't think it's useful to leave this bug open any longer.  The policy change is no longer novel and has been adopted by all major browsers, including fully-patched-up copies of all versions of IE back to v6, so if these sites haven't been fixed by now, they're probably not gonna bother.