Closed
Bug 1387871
Opened 7 years ago
Closed 7 years ago
CSP: Write testcase for data: URI iframe using a meta CSP including 'self'
Categories
(Core :: DOM: Security, enhancement, P2)
Core
DOM: Security
Tracking
()
RESOLVED
FIXED
mozilla57
| Tracking | Status | |
|---|---|---|
| firefox57 | --- | fixed |
People
(Reporter: ckerschb, Assigned: ckerschb)
References
Details
(Whiteboard: [domsecurity-active])
Attachments
(1 file, 2 obsolete files)
|
(deleted),
patch
|
dveditz
:
review+
|
Details | Diff | Splinter Review |
When working on Bug 1387684 I realized that having a data: URI iframe which uses a meta CSP including 'self' translates 'self' into a data: URI. We fix the issue within Bug 1387684, but we should write out own testcase for it because the wpt test for this relies on the policy violation events (see Bug 1302962), which we haven't implemented yet.
|
Assignee | |
Updated•7 years ago
|
Assignee: nobody → ckerschb
Status: NEW → ASSIGNED
Depends on: 1387684
Priority: -- → P2
Whiteboard: [domsecurity-active]
|
|
Assignee | |
Comment 1•7 years ago
|
||
This needs a little more work than I expected. When flipping the pref so data: URIs become unique opaque origins, then we get the following values when running that test:
Within CSP_CreateHostSrcFromSelfURI:
aSelfURI: moz-nullprincipal:{6955d7ca-7420-489e-b5f1-2c1ffd31698f}
scheme: moz-nullprincipal
host:
port: 32764
which ultimately translates 'self' into:
moz-nullprincipal://:32764
within the attached testcase. I am not entirely sure how we should handle that case. I guess it needs a little more discussion with Dan and others.
|
|
Assignee | |
Comment 2•7 years ago
|
||
As described in [1], the test within this bug will land together with the changes from Bug 1387684.
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1387684#c18
Attachment #8894406 -
Attachment is obsolete: true
Attachment #8897813 -
Flags: review?(dveditz)
|
||
Comment 3•7 years ago
|
||
Comment on attachment 8897813 [details] [diff] [review]
bug_1387871_test_meta_csp_self.patch
Review of attachment 8897813 [details] [diff] [review]:
-----------------------------------------------------------------
Am I still reviewing this patch, or will there be another version? I'm not keen on translating moz-nullprincipal: to unique-opaque-origin: because moz-nullprincipal should already mean a unique origin. According to the URL spec (WHATWG) a unique origin shouldn't match even itself so you could just have things fail. Or, a more common-sense interpretation of a "unique" origin would allow it to match itself (exactly!) but not other URLs of the same scheme.
There are URL types that don't have hosts that aren't moz-nullprincipal. Basically, if a URL has a host then it's a scheme+host+port origin comparison; if it doesn't then it's a "unique origin" and we can either common-sense compare the entire URL, or go the "unique origin" definition and simply fail the comparison once we hit that point.
|
|
||
Comment 4•7 years ago
|
||
Comment on attachment 8897813 [details] [diff] [review]
bug_1387871_test_meta_csp_self.patch
Review of attachment 8897813 [details] [diff] [review]:
-----------------------------------------------------------------
Let's hold off on the review until we see what happens in Bug 1387684
Attachment #8897813 -
Flags: review?(dveditz)
|
|
Assignee | |
Comment 5•7 years ago
|
||
Attachment #8899116 -
Flags: review?(dveditz)
|
|
Assignee | |
Updated•7 years ago
|
Attachment #8897813 -
Attachment is obsolete: true
|
|
||
Updated•7 years ago
|
Attachment #8899116 -
Flags: review?(dveditz) → review+
Pushed by mozilla@christophkerschbaumer.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/6c69390e7b8a
CSP: Test 'self' within meta csp in data: URI iframe. r=dveditz
|
||
Comment 7•7 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox57:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla57
You need to log in
before you can comment on or make changes to this bug.
Description
•