Opened on 08/20/2018 at 01:49:22 PM
Closed on 08/27/2018 at 04:29:26 PM
Last modified on 10/17/2018 at 02:50:13 PM
#6871 closed defect (fixed)
Extension incorrectly accepts $csp filters with blank value
Reported by: | Ross | Assignee: | jsonesen |
---|---|---|---|
Priority: | P2 | Milestone: | |
Module: | Core | Keywords: | |
Cc: | kzar, sebastian, hfiguiere, mjethani, jsonesen | Blocked By: | |
Blocking: | Platform: | Unknown / Cross platform | |
Ready: | yes | Confidential: | no |
Tester: | Ross | Verified working: | yes |
Review URL(s): |
Description (last modified by mjethani)
Environment
ABP 3.2.0.2103
Chrome 68 / 55 / Windows 10
Firefox 51 / Windows 10
Reproduced in 3.2.
How to reproduce
- Add the filter *$csp=
Observed behaviour
The filter is accepted.
Expected behaviour
According to #6733, blank values should be allowed for the $rewrite filter, but not for the $domain, $sitekey or $csp filters. The $domain and $sitekey filter options error on blank value as expected.
Hints for testers
Test that CSP filters work in general as expected but no longer accept blank values. If a filter contains a blank value for the $csp option, it should be ignored. This can be verified by writing such a filter and checking the DevTools console for the error Invalid header specification '{"name":"Content-Security-Policy"}'; after this change, no such error should appear in the DevTools console.
Known issues
This change introduced the regression described in #7043. Whitelist CSP filters should be able to have blank values.
Attachments (0)
Change History (12)
comment:1 Changed on 08/20/2018 at 01:49:49 PM by Ross
comment:2 Changed on 08/20/2018 at 04:06:05 PM by mjethani
The web extension even tries to inject the CSP header and gets this error from the browser: Unchecked runtime.lastError while running webRequestInternal.eventHandled: Invalid header specification '{"name":"Content-Security-Policy"}'
comment:3 Changed on 08/20/2018 at 04:06:32 PM by mjethani
- Component changed from Unknown to Core
- Priority changed from Unknown to P2
- Ready set
comment:4 Changed on 08/20/2018 at 04:06:56 PM by mjethani
- Cc jsonesen added
comment:5 Changed on 08/20/2018 at 06:15:46 PM by jsonesen
- Owner set to jsonesen
comment:6 Changed on 08/21/2018 at 07:23:28 PM by jsonesen
comment:7 Changed on 08/22/2018 at 07:51:19 PM by jsonesen
- Review URL(s) modified (diff)
- Status changed from new to reviewing
comment:8 Changed on 08/25/2018 at 07:38:41 AM by abpbot
A commit referencing this issue has landed:
Issue 6871 - Reject filters with blank CSPs
comment:9 Changed on 08/27/2018 at 04:29:26 PM by jsonesen
- Resolution set to fixed
- Status changed from reviewing to closed
comment:10 Changed on 08/28/2018 at 09:15:13 AM by mjethani
- Description modified (diff)
comment:11 Changed on 10/15/2018 at 08:33:23 PM by mjethani
- Description modified (diff)
comment:12 Changed on 10/17/2018 at 02:50:13 PM by Ross
- Tester changed from Unknown to Ross
- Verified working set
Fixed.
ABP 3.3.2.2175
Firefox 62 / 51 / Windows 10
Chrome 69 / 49 / Windows 10
Opera 56 / 36 / Windows 10
This is not a regression (it occurs in 3.2) but goes against what is in the 3.3 ticket (#6733).