Closed
Bug 908824
Opened 11 years ago
Closed 11 years ago
CSP 1.0 does not block plugin content with object-src
Categories
(Core :: Security, defect)
Tracking
()
VERIFIED
FIXED
mozilla24
Tracking | Status | |
---|---|---|
firefox22 | --- | unaffected |
firefox23 | --- | wontfix |
firefox24 | --- | verified |
firefox25 | --- | verified |
firefox26 | --- | verified |
firefox-esr17 | --- | unaffected |
b2g18 | --- | unaffected |
People
(Reporter: mwobensmith, Assigned: geekboy)
References
()
Details
(Keywords: sec-moderate, Whiteboard: [adv-main24-] Embargo until 908933 fixed)
1. Run test case here, preferably watching HTTP traffic to observe headers:
http://webappsec-test.info/~mwobensmith/CSP/object-src/CSP_2_1.php
2. View results with FF23 in console:
Error: [Exception... "'TypeError: defaultSrcDir is undefined' when calling method: [nsIContentSecurityPolicy::refinePolicy]" nsresult: "0x8057001c (NS_ERROR_XPC_JS_THREW_JS_OBJECT)" location: "native frame :: <unknown filename> :: <TOP_LEVEL> :: line 0" data: no]
3. Run same test in FF24+ and view console:
[11:38:15.583] Content Security Policy: Directive object-src http://webappsec-test.info:80 violated by http://www2.webappsec-test.info/~mwobensmith/CSP/support/media/flash.swf
We prefer the latter.
Reporter | ||
Comment 1•11 years ago
|
||
Please note:
You can also try an applet on FF23 using this test:
http://webappsec-test.info/~mwobensmith/CSP/object-src/CSP_2_3.php
Ignore the test output in the page, as it might be wrong. Just note whether the applet loads or not, and what message appears in the console.
For the applet case, it acts identical to the SWF above in FF23 and below. However, in FF24+, the applet is not blocked, and no error is flagged anywhere. Please tell me if I should file a separate bug for that, since it affects branches FF24 and above.
Reporter | ||
Updated•11 years ago
|
status-firefox22:
--- → affected
status-firefox23:
--- → affected
status-firefox24:
--- → unaffected
status-firefox25:
--- → unaffected
status-firefox26:
--- → unaffected
status-firefox-esr17:
--- → unaffected
Reporter | ||
Updated•11 years ago
|
Assignee: nobody → grobinson
Summary: CSP does not block cross-domain plugin content with object-src-'self' → CSP does not block cross-domain plugin content with object-src 'self'
Reporter | ||
Comment 2•11 years ago
|
||
OK, in comment 1 I referenced the applet case. I filed bug 908933 for that, as it appears in FF24+.
Comment 3•11 years ago
|
||
I'm confused what this bug is about. You want the Firefox 24 behavior, so this is already fixed, right?
Reporter | ||
Comment 4•11 years ago
|
||
Yes, technically, this is already fixed. However, since it shows our current CSP is very broken, I felt a bug was important to track it. Dunno what our policy would be for an advisory, in this case. Waiting on others - Critsmash, etc. - to triage.
Comment 5•11 years ago
|
||
Is there something in particular that fixed it?
This says that ESR is unaffected, so really the only other action is to issue an advisory.
Reporter | ||
Comment 6•11 years ago
|
||
Good question - I don't have insight as to what fixed it, but the related bug 908933 needs to be addressed in FF24+ before we can discuss this one, as this one exposes both of them.
Garrett is out of town this week; we may have to wait until he returns for further assessment. He has been looking at it.
Lastly, thanks for the heads up about ESR. I think technically this might be an issue with the CSP 1.0 implementation, which I am not sure if ESR17 supports. The test case fails there, so we need to examine further - marking affected for now until we know for sure.
Reporter | ||
Comment 7•11 years ago
|
||
Changed title to reflect that - AFAIK - no potential source list values for the object-src directive seems to prevent SWF loading in this bug.
It's not just 'self' but domains, protocols, ports, 'none', etc. The plugin is always loaded, regardless.
Summary: CSP does not block cross-domain plugin content with object-src 'self' → CSP does not block plugin content with object-src
Reporter | ||
Comment 8•11 years ago
|
||
Just a little more info.
This bug also includes the media-src directive, with audio/video. Same problem.
And to be clearer - this appears to be an issue with the 1.0 implementation. If we only use the prefixed header, everything is blocked, as expected. However, if we use the proper, unprefixed header, these directives don't work in FF23. They do work in Chrome and FF24+.
Comment 9•11 years ago
|
||
Matt: I thnk the CSP 1.0 header only landed in Fx23, so is "22 affected" really correct? Maybe we backported it?
If this is fixed in 24 can you please make this bug depend on that one.
Calling this sec-moderate since it's a major failure of a feature but the feature itself is a mitigation against website bugs.
Flags: needinfo?(mwobensmith)
Keywords: sec-moderate
Summary: CSP does not block plugin content with object-src → CSP 1.0 does not block plugin content with object-src
Updated•11 years ago
|
Whiteboard: [adv-main24+]
Reporter | ||
Comment 10•11 years ago
|
||
FF22 is not affected. Nor is FF17esr. Looks like just FF23.
I don't know if there is a bug associated with what fixed it in FF24+, assuming we knowingly fixed it. I will search for it and/or ask Garrett when he returns.
Flags: needinfo?(mwobensmith)
Updated•11 years ago
|
Alias: CVE-2013-1732
Comment 11•11 years ago
|
||
(In reply to Matt Wobensmith from comment #10)
> FF22 is not affected. Nor is FF17esr. Looks like just FF23.
>
> I don't know if there is a bug associated with what fixed it in FF24+,
> assuming we knowingly fixed it. I will search for it and/or ask Garrett when
> he returns.
Any status update here Matt?
Flags: needinfo?(mwobensmith)
Reporter | ||
Comment 12•11 years ago
|
||
According to Sid, the patch for bug 780978 fixed it in FF24+.
"We removed makeExplicit() ... (which caused) any CSP in 1.0 that didn't use a default-src (to fail)."
I set Status to Resolved/Fixed. Feel free to change if that doesn't quite fit the situation, as it was a bug reported against the current build... that was already fixed in later builds.
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: needinfo?(mwobensmith)
Resolution: --- → FIXED
Comment 13•11 years ago
|
||
Given comment 12 can we just mark this verified fixed across all branches?
Updated•11 years ago
|
Comment 15•11 years ago
|
||
I don't think we can release an advisory for this while the applet case is still a problem, unfortunately.
Alias: CVE-2013-1732
Depends on: CVE-2016-2833
Whiteboard: [adv-main24+] → [adv-main24-] Embargo until 908933 fixed
Reporter | ||
Updated•11 years ago
|
status-b2g18:
--- → unaffected
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•