Closed Bug 908824 Opened 6 years ago Closed 6 years ago

CSP 1.0 does not block plugin content with object-src

Categories

(Core :: Security, defect, major)

23 Branch
All
macOS
defect
Not set
major

Tracking

()

VERIFIED FIXED
mozilla24
Tracking Status
firefox22 --- unaffected
firefox23 --- wontfix
firefox24 --- verified
firefox25 --- verified
firefox26 --- verified
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: mwobensmith, Assigned: geekboy)

References

()

Details

(Keywords: sec-moderate, Whiteboard: [adv-main24-] Embargo until 908933 fixed)

1. Run test case here, preferably watching HTTP traffic to observe headers:

http://webappsec-test.info/~mwobensmith/CSP/object-src/CSP_2_1.php

2. View results with FF23 in console:

Error: [Exception... "'TypeError: defaultSrcDir is undefined' when calling method: [nsIContentSecurityPolicy::refinePolicy]"  nsresult: "0x8057001c (NS_ERROR_XPC_JS_THREW_JS_OBJECT)"  location: "native frame :: <unknown filename> :: <TOP_LEVEL> :: line 0"  data: no]

3. Run same test in FF24+ and view console:

[11:38:15.583] Content Security Policy: Directive object-src http://webappsec-test.info:80 violated by http://www2.webappsec-test.info/~mwobensmith/CSP/support/media/flash.swf



We prefer the latter.
Please note:

You can also try an applet on FF23 using this test:

http://webappsec-test.info/~mwobensmith/CSP/object-src/CSP_2_3.php

Ignore the test output in the page, as it might be wrong. Just note whether the applet loads or not, and what message appears in the console.

For the applet case, it acts identical to the SWF above in FF23 and below. However, in FF24+, the applet is not blocked, and no error is flagged anywhere. Please tell me if I should file a separate bug for that, since it affects branches FF24 and above.
Assignee: nobody → grobinson
Summary: CSP does not block cross-domain plugin content with object-src-'self' → CSP does not block cross-domain plugin content with object-src 'self'
OK, in comment 1 I referenced the applet case. I filed bug 908933 for that, as it appears in FF24+.
I'm confused what this bug is about. You want the Firefox 24 behavior, so this is already fixed, right?
Yes, technically, this is already fixed. However, since it shows our current CSP is very broken, I felt a bug was important to track it. Dunno what our policy would be for an advisory, in this case. Waiting on others - Critsmash, etc. - to triage.
Is there something in particular that fixed it?

This says that ESR is unaffected, so really the only other action is to issue an advisory.
Good question - I don't have insight as to what fixed it, but the related bug 908933 needs to be addressed in FF24+ before we can discuss this one, as this one exposes both of them.

Garrett is out of town this week; we may have to wait until he returns for further assessment. He has been looking at it.

Lastly, thanks for the heads up about ESR. I think technically this might be an issue with the CSP 1.0 implementation, which I am not sure if ESR17 supports. The test case fails there, so we need to examine further - marking affected for now until we know for sure.
Changed title to reflect that - AFAIK - no potential source list values for the object-src directive seems to prevent SWF loading in this bug. 

It's not just 'self' but domains, protocols, ports, 'none', etc. The plugin is always loaded, regardless.
Summary: CSP does not block cross-domain plugin content with object-src 'self' → CSP does not block plugin content with object-src
Just a little more info.

This bug also includes the media-src directive, with audio/video. Same problem.

And to be clearer - this appears to be an issue with the 1.0 implementation. If we only use the prefixed header, everything is blocked, as expected. However, if we use the proper, unprefixed header, these directives don't work in FF23. They do work in Chrome and FF24+.
Matt: I thnk the CSP 1.0 header only landed in Fx23, so is "22 affected" really correct? Maybe we backported it?

If this is fixed in 24 can you please make this bug depend on that one.

Calling this sec-moderate since it's a major failure of a feature but the feature itself is a mitigation against website bugs.
Flags: needinfo?(mwobensmith)
Keywords: sec-moderate
Summary: CSP does not block plugin content with object-src → CSP 1.0 does not block plugin content with object-src
Whiteboard: [adv-main24+]
FF22 is not affected. Nor is FF17esr. Looks like just FF23.

I don't know if there is a bug associated with what fixed it in FF24+, assuming we knowingly fixed it. I will search for it and/or ask Garrett when he returns.
Alias: CVE-2013-1732
(In reply to Matt Wobensmith from comment #10)
> FF22 is not affected. Nor is FF17esr. Looks like just FF23.
> 
> I don't know if there is a bug associated with what fixed it in FF24+,
> assuming we knowingly fixed it. I will search for it and/or ask Garrett when
> he returns.

Any status update here Matt?
Flags: needinfo?(mwobensmith)
According to Sid, the patch for bug 780978 fixed it in FF24+.  

"We removed makeExplicit() ... (which caused) any CSP in 1.0 that didn't use a default-src (to fail)."

I set Status to Resolved/Fixed. Feel free to change if that doesn't quite fit the situation, as it was a bug reported against the current build... that was already fixed in later builds.
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(mwobensmith)
Resolution: --- → FIXED
Given comment 12 can we just mark this verified fixed across all branches?
Assignee: grobinson → sstamm
Depends on: 780978
Target Milestone: --- → mozilla24
I don't think we can release an advisory for this while the applet case is still a problem, unfortunately.
Alias: CVE-2013-1732
Depends on: CVE-2016-2833
Whiteboard: [adv-main24+] → [adv-main24-] Embargo until 908933 fixed
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.