Opened 14 months ago

Closed 13 months ago

Last modified 12 months ago

#5953 closed defect (fixed)

CSP in Firefox blocks our script injection

Reported by: tschuster Assignee: tschuster
Priority: P3 Milestone: Adblock-Plus-3.0.2-for-Firefox
Module: Platform Keywords:
Cc: mjethani Blocked By:
Blocking: Platform: Firefox
Ready: yes Confidential: no
Tester: Ross Verified working: yes
Review URL(s):

https://codereview.adblockplus.org/29590611/

Description (last modified by trev)

Firefox WebExtensions don't overwrite a site's CSP when creating a script and assigning to textContent instead of src. (We do this here: https://hg.adblockplus.org/adblockpluschrome/file/tip/inject.preload.js#l401)

I am going to submit a patch later, which is basically the same as this one I contributed to ViolentMonkey: https://github.com/violentmonkey/violentmonkey/pull/246

The relevant Firefox bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1267027

What to test

This issue affects WebRTC blocking on websites that have a CSP disallowing inline scripts (e.g. Content-Security-Policy: script-src 'self' or any other policy without 'unsafe-eval').

Note that the fix only works for Firefox 58 and above, not older versions of Firefox.

Change History (18)

comment:1 Changed 14 months ago by tschuster

  • Description modified (diff)

comment:2 Changed 14 months ago by tschuster

  • Review URL(s) modified (diff)

comment:3 Changed 14 months ago by tschuster

This way of injecting the script seems a bit more error prone compared to just setting textContent, so maybe we should only do this in Firefox?

comment:4 Changed 14 months ago by mjethani

Are you sure that this is needed?

We don't do script injection on Firefox; instead we use tabs.insertCSS. This is unlikely to change even in the future.

comment:5 Changed 14 months ago by mjethani

  • Cc mjethani added

comment:6 Changed 14 months ago by tschuster

Weird, this code definitely seems to run for me. When using the latest build from https://downloads.adblockplus.org/devbuilds/adblockplusfirefox/, I get this error on (for example) github:

Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src
https://assets-cdn.github.com”). Source: (function injected(eventName, injectedIn....

comment:7 Changed 14 months ago by mjethani

My bad! I momentarily confused script injection with style injection. Yes, we do run this for the wrappers.

comment:8 Changed 13 months ago by abpbot

A commit referencing this issue has landed:
Issue 5953 - Bypass site CSP for script injection in Firefox

comment:9 Changed 13 months ago by kzar

  • Milestone changed from Adblock-Plus-3.0-for-Chrome-Opera-Firefox to Adblock-Plus-for-Chrome-Opera-Firefox-next

comment:10 Changed 13 months ago by Ross

Just double checking: Testing for this should be checking that scripts are still injected/function on sites using a CSP?

comment:11 Changed 13 months ago by trev

  • Resolution set to fixed
  • Status changed from new to closed

comment:12 Changed 13 months ago by trev

  • Component changed from Unknown to Platform
  • Description modified (diff)
  • Priority changed from Unknown to P3
  • Ready set

comment:13 Changed 13 months ago by trev

  • Description modified (diff)

comment:14 Changed 13 months ago by tschuster

To provide a bit better information on this. This change landed only in Firefox 58 (beta at the moment). The actually relevant bug is https://bugzilla.mozilla.org/show_bug.cgi?id=1406278, which is a dependency of the bug I posted initially.

comment:15 follow-up: Changed 12 months ago by Ross

After reading through the mozilla tickets, I'm unsure what to test for this ticket. That WebRTC works fine in Firefox 58+? And/or the github related error in comment 6?

comment:16 in reply to: ↑ 15 Changed 12 months ago by kzar

Replying to Ross:

After reading through the mozilla tickets, I'm unsure what to test for this ticket. That WebRTC works fine in Firefox 58+? And/or the github related error in comment 6?

As discussed in IRC I've had a go at making a test page for you, browse to http://csp.kzar.co.uk/ and then click the link to the #5953 test page. It should attempt to open a WebRTC connection to a non existing WebRTC server stun:kzar.co.uk, but there should be an extremely restrictive Content Security Policy which blocks most other scripts (including the others in the page which attempt to open WebSocket connections).

comment:17 Changed 12 months ago by kzar

  • Owner set to tschuster

comment:18 Changed 12 months ago by Ross

  • Tester changed from Unknown to Ross
  • Verified working set

Done. Using kzar's CSP test page I could block the WebRTC connection the page was attempting to make.

ABP 3.0.1.1943
Firefox 58 / Windows 7

Note: See TracTickets for help on using tickets.