Open Bug 903424 Opened 12 years ago Updated 3 years ago

Content Security Policy doesn't check existence of aChannel.referrer

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Version:
23 Branch
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: burningmace, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.19 (KHTML, like Gecko) Ubuntu/10.04 Chromium/18.0.1025.168 Chrome/18.0.1025.168 Safari/535.19 Steps to reproduce: Create a page with a security policy set, and browse to it directly (no page referrer). Not sure of the exact reproduction steps, but bug is evident. Reproduced in the following user agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:14.0) Gecko/20100101 Firefox/14.0.1 Actual results: You'll see an error in the error console: Error: aChannel.referrer is null Source File: resource:///components/contentSecurityPolicy.js Line: 206 Expected results: No error.
I looked at the source and noticed that somewhere along the line someone removed an if (aChannel.referrer) that preceded line 206, which reads as follows: let referrer = aChannel.referrer.cloneIgnoringRef(); Inserting the if clause back in should solve the issue. Unfortunately I don't have anything but a browser available to me so I can't provide a patch.
Probably related, but no idea how to reproduce - it just happens sometimes on CSP-enabled sites: Error: [Exception... "Component returned failure code: 0x8000ffff (NS_ERROR_UNEXPECTED) [nsIURI.userPass]" nsresult: "0x8000ffff (NS_ERROR_UNEXPECTED)" location: "JS frame :: resource:///components/contentSecurityPolicy.js :: <TOP_LEVEL> :: line 203" data: no] Source File: resource:///components/contentSecurityPolicy.js Line: 203 Source code from contentSecurityPolicy.js: 201: // save the document URI (minus <fragment>) and referrer for reporting 202: let uri = aChannel.URI.cloneIgnoringRef(); 203: uri.userPass = ''; 204: this._request = uri.asciiSpec;
Could you attach a testcase with such a behavior (or online testcase), pelase.
Component: Untriaged → Security
Product: Firefox → Core
Version: 14 Branch → 23 Branch
Flags: needinfo?(burningmace)
I can't set up a est-case right now, since the code I was working on was at work, but I can give you all the information I have about the setup I was using internally when I found the issue. Set the Content-Security-Policy, X-Content-Security-Policy, and X-WebKit-CSP headers to the following: default-src: 'none'; script-src: 'self'; img-src: 'self'; style-src: 'self'; connect-src: 'self'; xhr-src: 'self'; frame-src: 'none'; media-src: 'none'; object-src: 'none'; font-src: 'none'; Also set the following headers: X-Frame-Options: DENY X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: no-cache Pragma: no-cache Content encoding was UTF-8 and content type was text/html. Page referenced XHTML Strict DTD. Hopefully that's enough to recreate the issue; let me know if you need further details.
Flags: needinfo?(burningmace)
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.