A policy of like script-src 'self' 'unsafe-inline'; allows eval but should not

RESOLVED FIXED

Status

()

RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: freddyb, Assigned: geekboy)

Tracking

(Blocks: 1 bug, {sec-moderate})

Trunk
sec-moderate
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

I ran the W3C test suite (see URL) and noticed that we execute JavaScript from strings when script-src is set to 'self 'unsafe-inline', although unsafe-eval is left out.

Comment 1

5 years ago
Thanks for running the test suite, Freddy ! 

We have some tests around setInterval/setTimeout, see https://mxr.mozilla.org/mozilla-central/source/content/base/test/file_CSP_evalscript_main.js

so we need to dig in a bit to understand what's going on here and what's different (or possibly what's wrong in our tests for this). 

Marking sec-moderate, as always, that's open to discussion.

I don't have time to look into this right now, so if anyone else can dive in that would be much appreciated. This test passes in current Chrome fwiw.
Keywords: sec-moderate
(Assignee)

Comment 2

5 years ago
We execute all types of JS from strings or just one certain vector?  Is it inline script tags or event handler attributes or...?

Comment 3

5 years ago
(In reply to Sid Stamm [:geekboy or :sstamm] from comment #2)
> We execute all types of JS from strings or just one certain vector?  Is it
> inline script tags or event handler attributes or...?

Fail	setInterval, setTimeout with non-callable args should not execute with policy "script-src 'self' 'unsafe-inline'". 1	assert_false: Unsafe eval ran in setTimeout(). expected false got true
Fail	setInterval, setTimeout with non-callable args should not execute with policy "script-src 'self' 'unsafe-inline'". 2	assert_false: Unsafe eval ran in setInterval(). expected false got true

the script is :

<script>
		window.setTimeout('test(function() {assert_false(true, "Unsafe eval ran in setTimeout().")})', 0);
	</script>
	<script>
		window.setInterval('test(function() {assert_false(true, "Unsafe eval ran in setInterval().")})', 0);
	</script>


note that the CSP for the document specifies unsafe-inline, just not unsafe-eval
(Assignee)

Comment 4

5 years ago
Thanks, Ian.  Potentially (remotely) related is bug 805929.

Comment 5

5 years ago
Looks like we don't have a setInterval test :(

Wondering if this has something to do with the W3C test using window.setTimeout, our test just calls setTimeout. Very likely not, but something I noticed.
(Assignee)

Comment 6

5 years ago
"window." shouldn't make a difference.  I just tried it out and doesn't seem to affect the outcome of the mochitests.

Comment 7

5 years ago
(In reply to Sid Stamm [:geekboy or :sstamm] from comment #6)
> "window." shouldn't make a difference.  I just tried it out and doesn't seem
> to affect the outcome of the mochitests.

Didn't think so, thanks for checking. Seems like the test case needs some debugging, if we can find a volunteer..
(Assignee)

Updated

5 years ago
Assignee: nobody → sstamm
From my quick tests, the issue appears only when "Content-Security-Policy" is used, rather than "X-Content-Security-Policy". I'm using FF24 nightly.

Comment 9

5 years ago
These tests which were failing previously :

Fail	setInterval, setTimeout with non-callable args should not execute with policy "script-src 'self' 'unsafe-inline'". 1	assert_false: Unsafe eval ran in setTimeout(). expected false got true
Fail	setInterval, setTimeout with non-callable args should not execute with policy "script-src 'self' 'unsafe-inline'". 2	assert_false: Unsafe eval ran in setInterval(). expected false got true

are now passing in Nightly Fx25 from 7/1. I suspect this is due to Garrett's fix for bug 887974 having landed.

There is still a report sending failure but that might be bug 843311.
(Assignee)

Comment 10

5 years ago
I just ran the entire test suite on nightly (http://webappsec-test.info/web-platform-tests/csp/) and got 100%.  Some of the php files don't seem to have any tests, but when I load them individually they block some stuff.

Freddyb: is this bug is fixed on nightly?
Flags: needinfo?(fbraun)
This eval/inline failure seems to be fixed and I do see a success rate of 100%. Thanks for working on this Garett!

But there seem to be some outstanding bugs anyhow: Firefox nightly sees a 100% pass with nine of nine tests, where chromium sees and passes 16 tests. This should be investigated in bug 937025.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Flags: needinfo?(fbraun)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.