Opened on 10/27/2017 at 11:37:41 AM
Closed on 11/28/2017 at 10:08:59 AM
Last modified on 12/12/2017 at 08:38:03 AM
#5953 closed defect (fixed)
CSP in Firefox blocks our script injection
| Reported by: | tschuster | Assignee: | tschuster |
|---|---|---|---|
| Priority: | P3 | Milestone: | Adblock-Plus-3.0.2-for-Firefox |
| Module: | Platform | Keywords: | |
| Cc: | mjethani | Blocked By: | |
| Blocking: | Platform: | Firefox | |
| Ready: | yes | Confidential: | no |
| Tester: | Ross | Verified working: | yes |
| Review URL(s): | |||
Description (last modified by trev)
Firefox WebExtensions don't overwrite a site's CSP when creating a script and assigning to textContent instead of src. (We do this here: https://hg.adblockplus.org/adblockpluschrome/file/tip/inject.preload.js#l401)
I am going to submit a patch later, which is basically the same as this one I contributed to ViolentMonkey: https://github.com/violentmonkey/violentmonkey/pull/246
The relevant Firefox bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1267027
What to test
This issue affects WebRTC blocking on websites that have a CSP disallowing inline scripts (e.g. Content-Security-Policy: script-src 'self' or any other policy without 'unsafe-eval').
Note that the fix only works for Firefox 58 and above, not older versions of Firefox.
Attachments (0)
Change History (18)
comment:3 Changed on 10/27/2017 at 04:02:00 PM by tschuster
comment:4 Changed on 10/27/2017 at 04:30:18 PM by mjethani
Are you sure that this is needed?
We don't do script injection on Firefox; instead we use tabs.insertCSS. This is unlikely to change even in the future.
comment:5 Changed on 10/27/2017 at 04:30:29 PM by mjethani
- Cc mjethani added
comment:6 Changed on 10/27/2017 at 04:48:57 PM by tschuster
Weird, this code definitely seems to run for me. When using the latest build from https://downloads.adblockplus.org/devbuilds/adblockplusfirefox/, I get this error on (for example) github:
Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src https://assets-cdn.github.com”). Source: (function injected(eventName, injectedIn....
comment:7 Changed on 10/27/2017 at 04:51:38 PM by mjethani
My bad! I momentarily confused script injection with style injection. Yes, we do run this for the wrappers.
comment:8 Changed on 11/23/2017 at 02:48:15 PM by abpbot
A commit referencing this issue has landed:
Issue 5953 - Bypass site CSP for script injection in Firefox
comment:9 Changed on 11/23/2017 at 02:49:12 PM by kzar
- Milestone changed from Adblock-Plus-3.0-for-Chrome-Opera-Firefox to Adblock-Plus-for-Chrome-Opera-Firefox-next
comment:10 Changed on 11/28/2017 at 10:00:28 AM by Ross
Just double checking: Testing for this should be checking that scripts are still injected/function on sites using a CSP?
comment:11 Changed on 11/28/2017 at 10:08:59 AM by trev
- Resolution set to fixed
- Status changed from new to closed
comment:12 Changed on 11/28/2017 at 10:15:14 AM by trev
- Component changed from Unknown to Platform
- Description modified (diff)
- Priority changed from Unknown to P3
- Ready set
comment:13 Changed on 11/28/2017 at 11:39:10 AM by trev
- Description modified (diff)
comment:14 Changed on 11/28/2017 at 04:27:27 PM by tschuster
To provide a bit better information on this. This change landed only in Firefox 58 (beta at the moment). The actually relevant bug is https://bugzilla.mozilla.org/show_bug.cgi?id=1406278, which is a dependency of the bug I posted initially.
comment:15 follow-up: ↓ 16 Changed on 12/05/2017 at 10:15:53 AM by Ross
After reading through the mozilla tickets, I'm unsure what to test for this ticket. That WebRTC works fine in Firefox 58+? And/or the github related error in comment 6?
comment:16 in reply to: ↑ 15 Changed on 12/11/2017 at 11:22:14 AM by kzar
Replying to Ross:
After reading through the mozilla tickets, I'm unsure what to test for this ticket. That WebRTC works fine in Firefox 58+? And/or the github related error in comment 6?
As discussed in IRC I've had a go at making a test page for you, browse to http://csp.kzar.co.uk/ and then click the link to the #5953 test page. It should attempt to open a WebRTC connection to a non existing WebRTC server stun:kzar.co.uk, but there should be an extremely restrictive Content Security Policy which blocks most other scripts (including the others in the page which attempt to open WebSocket connections).
comment:17 Changed on 12/11/2017 at 04:22:14 PM by kzar
- Owner set to tschuster
comment:18 Changed on 12/12/2017 at 08:38:03 AM by Ross
- Tester changed from Unknown to Ross
- Verified working set
Done. Using kzar's CSP test page I could block the WebRTC connection the page was attempting to make.
ABP 3.0.1.1943
Firefox 58 / Windows 7
This way of injecting the script seems a bit more error prone compared to just setting textContent, so maybe we should only do this in Firefox?