Closed
Bug 550442
Opened 15 years ago
Closed 15 years ago
(CSP) Handling of object subrequests makes it hard to define policies
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
People
(Reporter: jwkbugzilla, Assigned: geekboy)
References
(Blocks 1 open bug, )
Details
Attachments
(1 file)
|
1.55 KB,
patch
|
dveditz
:
review+
|
Details | Diff | Splinter Review |
I enabled CSP on adblockplus.org. However, I noticed that allowing a YouTube video (that I have on the main page) is far from trivial. Specifying object-src www.youtube.com is not sufficient - this video makes subrequests to ytimg.com which have to be allowed as well. What's worse, I have to allow ytimg.com in the "catch-all" rule where I wanted to have 'self' and nothing else.
I see two solutions:
1) Always allow object subrequests. After all, these are made by the object that the webmaster typically doesn't control. It's not obvious where ytimg.com requests came from. Then again, same is true for third-party scripts that make additional requests - and restricting those is still desirable.
"Patch" for contentSecurityPolicy.js:
- csp._MAPPINGS[cp.TYPE_OBJECT_SUBREQUEST] = cspr_sd.ALLOW;
2) Make object subrequests respect object-src instead of going to catch-all immediately. After all, these requests belong to the object previously allowed, this also gives the webmaster more granular control.
"Patch" for contentSecurityPolicy.js:
- csp._MAPPINGS[cp.TYPE_OBJECT_SUBREQUEST] = cspr_sd.ALLOW;
+ csp._MAPPINGS[cp.TYPE_OBJECT_SUBREQUEST] = cspr_sd.OBJECT_SRC;
|
Assignee | |
Updated•15 years ago
|
Assignee: nobody → sstamm
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 1•15 years ago
|
||
I can totally see this problem, thanks for the feedback. I'm trying to remember if there was a reason we specifically put TYPE_OBJECT_SUBREQUEST in the "ALLOW" bucket, but I'm not coming up with any really good reasons. I think maybe it was an effort to minimize subordinate loads from flash, but it seems to be pretty common.
> - csp._MAPPINGS[cp.TYPE_OBJECT_SUBREQUEST] = cspr_sd.ALLOW;
> + csp._MAPPINGS[cp.TYPE_OBJECT_SUBREQUEST] = cspr_sd.OBJECT_SRC;
I think this looks like a good fix. Actual patch attached.
Attachment #430644 -
Flags: review?(dveditz)
|
||
Comment 2•15 years ago
|
||
(In reply to comment #1)
> I'm trying to remember if there was a reason we specifically put
> TYPE_OBJECT_SUBREQUEST in the "ALLOW" bucket, but I'm not coming up with
> any really good reasons.
I think it's a bug, we talked about this case and I thought we agreed subordinate loads from an object is subject to the object policy for consistency of behavior. Otherwise you can get the same kind of end-run around the policy you can with redirects.
|
|
||
Comment 3•15 years ago
|
||
Comment on attachment 430644 [details] [diff] [review]
fix
r=dveditz
Attachment #430644 -
Flags: review?(dveditz) → review+
|
|
||
Comment 4•15 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•