699586 - Bug in Content Security Policy for setInterval and setTimeout when argument is a function

Status: RESOLVED WORKSFORME

(Firefox :: Security, defect)

Description

[Erlend Oftedal]

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.15 Safari/535.7

Steps to reproduce:

I built a Content Security Policy readiness sheet: http://erlend.oftedal.no/blog/csp/readiness/version2.php
One of the tests are testing setTimeout(function, time) and setInterval(function, time)


Actual results:

The functions were blocked even though the argument is a function and is not creating code from strings like setInterval(String, time) and setTimeout(String, time).


Expected results:

These functions should not be blocked by the CSP directive for not allowing code to be generated from strings, as a function, not a string, is supplied. This works as expected in Chrome.

Comment 1

[Erlend Oftedal]

This still seems broken even in FF13.

Comment 2

[Sid Stamm [:geekboy or :sstamm]]

Attachment: test script

Comment 3

[Sid Stamm [:geekboy or :sstamm]]

I noticed the tests in comment 0 use 'unsafe-inline', but use the X- header (which is old CSP syntax and doesn't support the 'unsafe-inline' syntax).

In firefox 24a1 (nightly) I tested the X- header with inline scripts allowed (eval blocked) and indeed the eval of a string is blocked but setTimeout with a function is allowed.  Tested the same thing with a CSP 1.0-compatible header:
  Content-Security-Policy: default-src 'self'; script-src 'unsafe-inline'; style-src 'unsafe-inline' 'self'
And those tests passed too.

Perhaps the tests are testing the wrong syntax?  Marking this as WFM since I can't reproduce the blocking-function-args problem.