Closed Bug 968906 Opened 11 years ago Closed 9 years ago

Certified apps can inline css

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: ochameau, Unassigned)

References

Details

(Keywords: sec-low)

The only CSP difference between privileged and certified is about inlining CSS and it looks like we can still inline CSS attributes in certified apps. http://mxr.mozilla.org/mozilla-central/source/b2g/app/b2g.js#376 The following code, introduced for devtools layers is injecting html strings with inlined css attributes within the system app: https://github.com/mozilla-b2g/gaia/blob/master/apps/system/js/devtools_layers.js#L65-L66 And it works fine on device... I identified this bug while working on firefox mulet (bug 943878) where the csp works correctly and then break the devtools layers. As I don't know exactly how much we could get from this security leak, I set the bug private, but do not hesitate to make it public if that makes sense. Is it related to bug 927493?
Blocks: 968907
Sid, can you help on this? I'm not sure which codepath we take for these csp checks.
Flags: needinfo?(sstamm)
I'm not sure this is super risky especially since CSP works on device, but it is probably a bug. Can we get some debug info (like prlogging for csp:5 or something)? We're confident the app is being treated as certified, and there is a CSP being applied, right? (Quick check would be to try and source an external script and see if CSP blocks it.) Fabrice: the CSP check is done in nsStyledElement::ParseStyleAttribute(): http://mxr.mozilla.org/mozilla-central/source/content/base/src/nsStyledElement.cpp#233 This could be related to bug 858836, so ccing grobinson. Garrett, what do you think?
Flags: needinfo?(sstamm) → needinfo?(grobinson)
I'm pretty sure the problem here is because we are still using the pre-1.0 X-CSP parser for Firefox OS (including the default app policies). X-CSP doesn't have inline style blocking, which is why you're not seeing styles blocked. You could try running with "security.csp.speccompliant" set to true and see if you get the behavior you're expecting. We're working on getting 1.0 to be the default ASAP, but there are a lot of problems with the test harness that have been making it difficult. Since this problem only affects styles, this is not ideal, and is confusing to developers who are trying to work with the default policies, but it is a low security risk.
Depends on: 858787
Flags: needinfo?(grobinson)
Why do we care if privileged apps use inline styles? But in any case this appears to be known and expected given the use of the old CSP parser in b2g.
Keywords: sec-low
Component: Security → DOM: Security
Alex, can you confirm if this is still a problem in the latest Nightly? Should be fixed by the patch for bug 858787.
Flags: needinfo?(poirot.alex)
Actually, don't confirm just yet, as that patch was just backed out. I'll comment here when we get it landed again :(
Wait, have you removed all inline css before enable inline css rejection? I opened bug 968907 to do that. The example I gave in first comment is still here: https://github.com/mozilla-b2g/gaia/blob/master/apps/system/js/devtools_view.js#L106 The system app also have inlined css: https://github.com/mozilla-b2g/gaia/blob/master/apps/system/index.html#L380 Here is a command that can help finding them: egrep -r \<style --include=*.html --exclude=_sandbox.html --exclude=_proxy.html apps/ dev_apps/ I'm also wondering if style="" attribute is also rejected from this CSP? egrep -r style=\" --include=*.html apps/ dev_apps/
Flags: needinfo?(poirot.alex)
Flags: needinfo?(grobinson)
Goodness, I didn't realize that certified apps were using inline styles... are B2G developers aware of the default CSP policies, and taking them into account? I'm changing 968907 from a blocker to a dependency here. When we land bug 858787, all certified apps will have the default CSP correctly applied (which will block inline styles). Therefore, we should remove the use of inline styles from all certified apps before landing that, to avoid breakage. I also think this bug does not require security confidentiality, and would benefit from being opened it. sstamm, what do you think?
No longer blocks: 968907
Depends on: 968907
Flags: needinfo?(sstamm)
Flags: needinfo?(poirot.alex)
Flags: needinfo?(grobinson)
I don't see a reason to keep this hidden. Having it opened will help get attention to fix the apps and even if someone can inject styles into a running app, the implications are not earth shattering. But yeah, we should fix this (and the apps). Who can make sure app developers know about this coming change to block inline styles for certified apps so they don't introduce more inline styles?
Flags: needinfo?(sstamm)
> Who can make sure app developers know about this coming change to block inline styles for certified apps so they don't introduce more inline styles? I will be emailing gaia-dev about this shortly, I just want to make sure bug 1006781 isn't a CSP bug first (to avoid confusion).
Yep, you should post on dev-gaia ML. If the csp is going to reject any usage of domElement.style attribute from JS, it is going to break critical performances tweaks using transition/animation/whatever-css-trick relying on modifying css attribute values dynamically via style object on DOM elements.
Flags: needinfo?(poirot.alex)
AFAIK this is not breaking setting domElement.style from JS, but only the use of "style=" attributes or <style> blocks in markup.
Forget comment 12, I haven't read all my mails yet, Garett made it clear in bug 1006781 comment 18.
Depends on: 1021970
Group: core-security → dom-core-security
Paul, we are triaging DOM:Security bugs at the moment. Since B2G is basically in Tier 3 support now, I was wondering what we should do with this bug? Can we close it as wontfix? Should we reclassify it so it shows up under a different Component? I don't know :-)
Flags: needinfo?(ptheriault)
Certified apps are going away. I am trying to get a CSP applied, but that's not this bug, and will be difficult since Gaia is likely moving to be chrome:// hosted instead of a app://. In any case this can be closed I think.
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(ptheriault)
Resolution: --- → WONTFIX
Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.