Closed Bug 1499354 Opened 6 years ago Closed 5 years ago

CSP for internal pages should deny plugins (object-src 'none'privileged pages)

Categories

(Core :: DOM: Security, enhancement, P2)

Product:
Core
Component:
DOM: Security
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla71
Tracking Flags:
Tracking Status
firefox71 --- fixed

People

(Reporter: freddy, Assigned: ckerschb)

References

Details

(Whiteboard: [domsecurity-active])

Attachments

(1 file)

Bug 1499354: Add object-src 'none' to the CSP of all about: pages. r=freddyb
(deleted), text/x-phabricator-request
Details
Privileged pages are getting a CSP. That's great. But I think we want to amend the CSP to contain object-src 'none'. If we had a reflected XSS (or something similar, that doesn't allow scripts but does reflect content) in chrome://, we would be open to rosetta-flash style attacks (see <https://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/>).
Assignee: ckerschb → nobody
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]

Christoph, I noticed you're still adding new CSP's to about: pages that are default-src chrome:.
Do you think it would be worthwhile coming up with a slightly stricter CSP that avoids some pitfalls?

Happy to patch the existing here.

How about something like default-src 'none'; script-src chrome:; object-src 'none'; base-uri 'none'; img-src chrome:; ?

Right, I have that in mind actually. My idea was to get all of the dependencies landed for Bug 1492063 and then 'tighten' the CSP. Reason being many fold:

  1. all dependencies have been tested and already r+ - so let's get them landed to get basic coverage.
  2. fallouts, because landing default-src 'none' might break things.
  3. Once we have a CSP it's easy to tighten it.
Assignee: nobody → ckerschb
Status: NEW → ASSIGNED
Priority: P3 → P2
Whiteboard: [domsecurity-backlog1] → [domsecurity-active]

Kate, I think you were working on adding CSP to about:newtab, right? If I remember correctly we host that code on github and I think once we land the code within this bug then about:newtab will hit the assertion because most likely it does not include "object-src 'none', right?

Flags: needinfo?(khudson)
Pushed by mozilla@christophkerschbaumer.com: https://hg.mozilla.org/integration/autoland/rev/ae1e5187f0bf Add object-src 'none' to the CSP of all about: pages. r=freddyb

https://hg.mozilla.org/mozilla-central/rev/ae1e5187f0bf

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox71: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla71

Clearing out my ni? queue with super old ni? requests which rendered unnecessary in the meantime.

Flags: needinfo?(khudson)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: