CSP style-src is parsed using incorrect ordering rules

RESOLVED DUPLICATE of bug 909029

Status

()

Core
Security
RESOLVED DUPLICATE of bug 909029
4 years ago
4 years ago

People

(Reporter: Florian Pritz, Unassigned)

Tracking

(Blocks: 1 bug)

24 Branch
x86_64
Linux
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

4 years ago
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0 (Beta/Release)
Build ID: 20130917081302

Steps to reproduce:

Send the following CSP header and try to open an SVG image created by systemd-analyze.

Content-Security-Policy: default-src 'none'; style-src * 'unsafe-inline';

Changing the order of * and 'unsafe-inline' fixes the issue, but according to the W3C draft source-list is an unordered list of source-expressions[1] and I can't find any mention of order being important.

[1]: http://www.w3.org/TR/CSP/#source-list


Actual results:

Firefox complains about inline style being forbidded by the CSP.


Expected results:

Firefox should display the image correctly and not complain about CSP issues.

Updated

4 years ago
Blocks: 493857
Component: Untriaged → Security
Product: Firefox → Core
Florian, can you please link to a test case or attach a test case?  It will help us move more quickly on this bug.
Flags: needinfo?(bluewind)
(Reporter)

Comment 2

4 years ago
Test case "* 'unsafe-inline'": http://flo.server-speed.net/tmp/test.svg
Test case "'unsafe-inline' *": http://flo.server-speed.net/tmp/test2.svg

Both render fine in chromium, in Firefox test.svg (same file, just different CSP header) is pretty much only a black square.
Flags: needinfo?(bluewind)
Thanks for the test cases, Florian. This bug is caused by the early return in CSPSourceList.fromString [1]. Sid - wasn't this the cause of another recent bug? Do you recall which?

[1] http://dxr.mozilla.org/mozilla-central/source/content/base/src/CSPUtils.jsm?from=CSPUtils.jsm#l989
Flags: needinfo?(sstamm)
I think it was bug 909029.  Garrett, you're almost done with that.  Probably wouldn't hurt to see if that's the same bug.
Flags: needinfo?(sstamm)
The patch for bug 909029 fixes this problem as well.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 909029
You need to log in before you can comment on or make changes to this bug.