673588 - CSP 'self' wrong for redirected sites, defeats XSS protection

Status: RESOLVED FIXED

(Core :: DOM: Core & HTML, defect, P2)

Description

[Daniel Veditz [:dveditz]]

+++ This bug was initially created as a clone of Bug #664151 +++

Bug 664151 is due to CSP interpreting the site policy using the originalURI of a document rather than the redirected end result. This has several rather bad security outcomes:

* violation reports will be sent back to the redirecting site. If you can cause a violation (guaranteed if the site uses 'self' in a policy or doesn't specify schemes) you may be able to get sensitive data from site URLs if any include account or session related identifiers. Coupled with bug 664983 this is even worse.

* XSS protection is bypassed if the script policy includes 'self'. If there's an XSS hole in the site prevented by CSP then you can inject scripts (or other content) that originate at the site doing the original redirection.

There's a patch in bug 664151 but since that's a website bug there was no way to flag it to get onto a Firefox release train.

Comment 1

[Brandon Sterne (:bsterne)]

Attachment: Send report to the correct location

Comment 2

[Daniel Veditz [:dveditz]]

Comment on attachment 547830 [details] [diff] [review]
Send report to the correct location

r=dveditz

Comment 3

[Brandon Sterne (:bsterne)]

Pushed to m-c:
http://hg.mozilla.org/mozilla-central/rev/887fad3ebc0b

Comment 4

[Wil Clouser [:clouserw]]

What is the timeline before this has enough penetration to be able to reenable CSP on our sites?

Comment 5

[Brandon Sterne (:bsterne)]

I can't give an exact percentage, but I want to wait until we're past the "large part" of the adoption curve of Firefox 6 (assuming we can land the fix there).

Comment 6

[Boris Zbarsky [:bzbarsky]]

Isn't the right thing to do here the same as what getChannelPrincipal does?

Comment 7

[Brandon Sterne (:bsterne)]

Why would I ever want to use the originalURI?  Are there cases where URI is not set?

Comment 8

[Curtis Koenig [:curtisk-use curtis.koenig+bzATgmail.com]]]

this bug caused us to remove CSP for AMO, so this fix lets us turn that back on. A good thing.

Comment 9

[LegNeato]

Comment on attachment 547830 [details] [diff] [review]
Send report to the correct location

Approved for releases/mozilla-aurora and releases/mozilla-beta. Please land asap.

Comment 10

[Brandon Sterne (:bsterne)]

Aurora merge:
http://hg.mozilla.org/releases/mozilla-aurora/rev/58f37835e0bf

Beta merge:
hg.mozilla.org/releases/mozilla-beta/rev/6dfee2af8549

Comment 11

[Boris Zbarsky [:bzbarsky]]

> Why would I ever want to use the originalURI?  Are there cases where URI is not
> set?

There are cases when the |URI| does not correctly reflect the security context of the channel.  For example, |URI| might be a jar:file:// URI while originalURI is a chrome:// URI.

Comment 12

[Boris Zbarsky [:bzbarsky]]

To be clear, I think that in our default shipping configuration it doesn't matter whether we use URI or originalURI, since we don't plan to apply CSP to anything other than http and https and we don't build any other protocols on redirects to http/https.  But extensions do this last all the time; what's the right CSP behavior for those?

Comment 13

[u279076]

qa- as no QA fix verification needed