Closed
Bug 673588
Opened 13 years ago
Closed 13 years ago
CSP 'self' wrong for redirected sites, defeats XSS protection
Categories
(Core :: DOM: Core & HTML, defect, P2)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
mozilla8
Tracking | Status | |
---|---|---|
firefox5 | --- | affected |
firefox6 | + | fixed |
firefox7 | + | fixed |
firefox8 | + | fixed |
status2.0 | --- | wanted |
status1.9.2 | --- | unaffected |
status1.9.1 | --- | unaffected |
People
(Reporter: dveditz, Assigned: bsterne)
References
Details
(Whiteboard: [sg:high][qa-])
Attachments
(1 file)
614 bytes,
patch
|
dveditz
:
review+
christian
:
approval-mozilla-aurora+
christian
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
+++ This bug was initially created as a clone of Bug #664151 +++ Bug 664151 is due to CSP interpreting the site policy using the originalURI of a document rather than the redirected end result. This has several rather bad security outcomes: * violation reports will be sent back to the redirecting site. If you can cause a violation (guaranteed if the site uses 'self' in a policy or doesn't specify schemes) you may be able to get sensitive data from site URLs if any include account or session related identifiers. Coupled with bug 664983 this is even worse. * XSS protection is bypassed if the script policy includes 'self'. If there's an XSS hole in the site prevented by CSP then you can inject scripts (or other content) that originate at the site doing the original redirection. There's a patch in bug 664151 but since that's a website bug there was no way to flag it to get onto a Firefox release train.
Assignee | ||
Comment 1•13 years ago
|
||
Attachment #547830 -
Flags: review?(dveditz)
Attachment #547830 -
Flags: approval-mozilla-beta?
Attachment #547830 -
Flags: approval-mozilla-aurora?
Reporter | ||
Comment 2•13 years ago
|
||
Comment on attachment 547830 [details] [diff] [review] Send report to the correct location r=dveditz
Attachment #547830 -
Flags: review?(dveditz) → review+
Assignee | ||
Comment 3•13 years ago
|
||
Pushed to m-c: http://hg.mozilla.org/mozilla-central/rev/887fad3ebc0b
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Comment 4•13 years ago
|
||
What is the timeline before this has enough penetration to be able to reenable CSP on our sites?
Assignee | ||
Comment 5•13 years ago
|
||
I can't give an exact percentage, but I want to wait until we're past the "large part" of the adoption curve of Firefox 6 (assuming we can land the fix there).
Comment 6•13 years ago
|
||
Isn't the right thing to do here the same as what getChannelPrincipal does?
Assignee | ||
Comment 7•13 years ago
|
||
Why would I ever want to use the originalURI? Are there cases where URI is not set?
this bug caused us to remove CSP for AMO, so this fix lets us turn that back on. A good thing.
Comment on attachment 547830 [details] [diff] [review] Send report to the correct location Approved for releases/mozilla-aurora and releases/mozilla-beta. Please land asap.
Attachment #547830 -
Flags: approval-mozilla-beta?
Attachment #547830 -
Flags: approval-mozilla-beta+
Attachment #547830 -
Flags: approval-mozilla-aurora?
Attachment #547830 -
Flags: approval-mozilla-aurora+
Assignee | ||
Comment 10•13 years ago
|
||
Aurora merge: http://hg.mozilla.org/releases/mozilla-aurora/rev/58f37835e0bf Beta merge: hg.mozilla.org/releases/mozilla-beta/rev/6dfee2af8549
Comment 11•13 years ago
|
||
> Why would I ever want to use the originalURI? Are there cases where URI is not
> set?
There are cases when the |URI| does not correctly reflect the security context of the channel. For example, |URI| might be a jar:file:// URI while originalURI is a chrome:// URI.
Comment 12•13 years ago
|
||
To be clear, I think that in our default shipping configuration it doesn't matter whether we use URI or originalURI, since we don't plan to apply CSP to anything other than http and https and we don't build any other protocols on redirects to http/https. But extensions do this last all the time; what's the right CSP behavior for those?
Target Milestone: --- → mozilla8
Reporter | ||
Updated•13 years ago
|
Comment 13•13 years ago
|
||
qa- as no QA fix verification needed
Whiteboard: [sg:high] → [sg:high][qa-]
Reporter | ||
Updated•13 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•