929653 - CSP style-src is parsed using incorrect ordering rules

Status: RESOLVED DUPLICATE of bug 909029

(Core :: Security, defect)

Description

[Florian Pritz]

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0 (Beta/Release)
Build ID: 20130917081302

Steps to reproduce:

Send the following CSP header and try to open an SVG image created by systemd-analyze.

Content-Security-Policy: default-src 'none'; style-src * 'unsafe-inline';

Changing the order of * and 'unsafe-inline' fixes the issue, but according to the W3C draft source-list is an unordered list of source-expressions[1] and I can't find any mention of order being important.

[1]: http://www.w3.org/TR/CSP/#source-list


Actual results:

Firefox complains about inline style being forbidded by the CSP.


Expected results:

Firefox should display the image correctly and not complain about CSP issues.

Comment 1

[Sid Stamm [:geekboy or :sstamm]]

Florian, can you please link to a test case or attach a test case?  It will help us move more quickly on this bug.

Comment 2

[Florian Pritz]

Test case "* 'unsafe-inline'": http://flo.server-speed.net/tmp/test.svg
Test case "'unsafe-inline' *": http://flo.server-speed.net/tmp/test2.svg

Both render fine in chromium, in Firefox test.svg (same file, just different CSP header) is pretty much only a black square.

Comment 3

[Garrett Robinson [:grobinson]]

Thanks for the test cases, Florian. This bug is caused by the early return in CSPSourceList.fromString [1]. Sid - wasn't this the cause of another recent bug? Do you recall which?

[1] http://dxr.mozilla.org/mozilla-central/source/content/base/src/CSPUtils.jsm?from=CSPUtils.jsm#l989

Comment 4

[Sid Stamm [:geekboy or :sstamm]]

I think it was bug 909029.  Garrett, you're almost done with that.  Probably wouldn't hurt to see if that's the same bug.

Comment 5

[Garrett Robinson [:grobinson]]

The patch for bug 909029 fixes this problem as well.