Opened 16 months ago

Closed 3 months ago

#6873 closed defect (rejected)

$csp filter can make CSP options more insecure on Firefox 55 / 51

Reported by: Ross Assignee:
Priority: Unknown Milestone:
Module: Platform Keywords: closed-in-favor-of-gitlab
Cc: kzar, sebastian, hfiguiere, mjethani Blocked By:
Blocking: Platform: Unknown / Cross platform
Ready: no Confidential: no
Tester: Unknown Verified working: no
Review URL(s):

Description

Environment

ABP 3.2.0.2103
Firefox 55 / 51 / Windows 10
Could not reproduce in Chrome or Firefox 61.

Also occurs in ABP 3.2.

How to reproduce

  1. Navigate to https://csp.kzar.co.uk/?csp=frame-src%20%27none%27
  2. Add filter ||csp.kzar.co.uk^$csp=http:

Observed behaviour

The frame on the page loads because the filter seems to have overridden the frame-src 'none' with 'http'.

Expected behaviour

The frame should not load. In Chrome 68/55/51 and Firefox 61, the frame does not load as expected.

Change History (4)

comment:1 Changed 16 months ago by Ross

This also occurs in 3.2 so is not a regression for 3.3.

comment:2 Changed 16 months ago by mjethani

FYI unable to reproduce this on Firefox 59.

Also, as for the fix for this, we might just want to ignore CSP filters on older versions of Firefox that have this problem.

comment:3 Changed 16 months ago by mjethani

  • Component changed from Unknown to Platform

comment:4 Changed 3 months ago by sebastian

  • Keywords closed-in-favor-of-gitlab added
  • Resolution set to rejected
  • Status changed from new to closed

Sorry, but we switched to GitLab. If this issue is still relevant, please file it again in the new issue tracker.

Note: See TracTickets for help on using tickets.