Opened 8 months ago

Last modified 8 months ago

#6873 new defect

$csp filter can make CSP options more insecure on Firefox 55 / 51

Reported by: Ross Assignee:
Priority: Unknown Milestone:
Module: Platform Keywords:
Cc: kzar, sebastian, hfiguiere, mjethani Blocked By:
Blocking: Platform: Unknown / Cross platform
Ready: no Confidential: no
Tester: Unknown Verified working: no
Review URL(s):

Description

Environment

ABP 3.2.0.2103
Firefox 55 / 51 / Windows 10
Could not reproduce in Chrome or Firefox 61.

Also occurs in ABP 3.2.

How to reproduce

  1. Navigate to https://csp.kzar.co.uk/?csp=frame-src%20%27none%27
  2. Add filter ||csp.kzar.co.uk^$csp=http:

Observed behaviour

The frame on the page loads because the filter seems to have overridden the frame-src 'none' with 'http'.

Expected behaviour

The frame should not load. In Chrome 68/55/51 and Firefox 61, the frame does not load as expected.

Change History (3)

comment:1 Changed 8 months ago by Ross

This also occurs in 3.2 so is not a regression for 3.3.

comment:2 Changed 8 months ago by mjethani

FYI unable to reproduce this on Firefox 59.

Also, as for the fix for this, we might just want to ignore CSP filters on older versions of Firefox that have this problem.

comment:3 Changed 8 months ago by mjethani

  • Component changed from Unknown to Platform
Note: See TracTickets for help on using tickets.