New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 614416 link

Starred by 2 users
Status: Fixed
Owner:
jww@chromium.org
Last visit > 30 days ago
Closed: Jun 2016
Cc:
a...@google.com
mkwst@chromium.org
jww@chromium.org
est...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Compat



Sign in to add a comment

CSP enforcement error in Chrome canary

Reported by dev.akh...@gmail.com, May 24 2016 
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36

Example URL:
https://paper.dropbox.com/doc/This-should-fail-to-load-under-Chrome-Canary-so3BAdMIJG4ndvlzgm5yx

Steps to reproduce the problem:
1. That URI breaks due to CSP errors but works fine in Chrome stable
2. 
3. 

What is the expected behavior?

What went wrong?
CSP enforcement blocked based on nonce.

Does it occur on multiple sites: N/A

Is it a problem with a plugin? N/A 

Did this work before? Yes Chrome Stable

Does this work in other browsers? Yes 

Chrome version: 53.0.2747.0  Channel: canary
OS Version: OS X 10.11.5
Flash Version: Shockwave Flash 21.0 r0

Comment 1 by dev.akh...@gmail.com, May 24 2016 

CC @mkwst @jww

Comment 2 by rsesek@chromium.org, May 24 2016

Cc: jww@chromium.org mkwst@chromium.org
Components: Blink>SecurityFeature

Comment 3 by jww@chromium.org, May 24 2016

Cc: est...@chromium.org
Owner: jww@chromium.org
Status: Assigned (was: Unconfirmed)
Just confirmed the issue and also confirmed that a revert of https://codereview.chromium.org/1980533002/ resolves the issue. I'll look into this.

Comment 4 by jww@chromium.org, May 24 2016 

Alright, found the bug. In the CL mentioned in #3, there was a change in checkNonce():
return !directive || directive->allowNonce(nonce);
to
return directive && directive->allowNonce(nonce);

I'm not sure what the goal of this change was (especially since it no longer matches any of the other check*() methods), but this breaks sites with *two* CSPs, where one has neither a script-src nor default-src directive. For example, if a page has the following two separate directives sent:

Content-Security-Policy: default-src 'self' 'unsafe-inline'; script-src 'nonce-noncynonce' 'unsafe-inline'
Content-Security-Policy: frame-ancestors 'self'

checkNonce() would now fail on the second policy, since |directive| was empty, which now causes it to fail instead of pass. Thus, it our CSP logic, where *all* policies must pass, it would now fail this nonce check.

At the very least, I'm going to change this back for now since mkwst@ is OOO at the moment and bring back the old behavior. I'm not positive which is the "correct" behavior, though, so we may need to talk about this when he returns.

I'll upload a CL shortly for estark@ to take a quick peak at.

Comment 5 by jww@chromium.org, May 24 2016 

Hm, I now see why this was changed. In theory, this shouldn't count as a "passing" nonce; it should just be seen as not-failing.

Unfortunatley, Step 3 of https://w3c.github.io/webappsec-csp/#directive-script-src is pretty clear that an inline script on a page whose policy lacks script-src and default-src directives *should* pass the inline script check, and it is seen as "failing," which isn't really the case.

Working further on how to resolve these two competing requirements.

Comment 6 by a...@google.com, May 25 2016

Cc: a...@google.com
Project Member

Comment 7 by bugdroid1@chromium.org, May 26 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d9341c818db0c3f07aba8ad98e51eeeb71271506

commit d9341c818db0c3f07aba8ad98e51eeeb71271506
Author: jww <jww@chromium.org>
Date: Thu May 26 03:39:08 2016

Fix bug where a second CSP without script-src would cause failure

After an earlier change to make sure report-only mode did not
erroneously cause a policy failure (see
https://codereview.chromium.org/1980533002), the logic was changed so
that checking the script/style nonce would fail if a policy has no nonce
entry for a directive. Unfortunately, this had the side effect of
disallowing scripts/styles if there are two policies, and one allows
inline scripts via nonce, and the other simply did not mention scripts.

This modifies the nonce logic so that the allow[Script|Style]Nonce no
longer returns a simple bool and instead returns a disposition of Allow,
Deny, or NoPolicy. In the last case, this will not cause a failure in
and of itself, and will allow other policies to be processed before a
decision is made.

BUG= 614416 , 611652 
TBR=mkwst@chromium.org

Review-Url: https://codereview.chromium.org/2006653005
Cr-Commit-Position: refs/heads/master@{#396104}

[modify] https://crrev.com/d9341c818db0c3f07aba8ad98e51eeeb71271506/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/multiple-policies-with-nonce.php
[modify] https://crrev.com/d9341c818db0c3f07aba8ad98e51eeeb71271506/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp
[modify] https://crrev.com/d9341c818db0c3f07aba8ad98e51eeeb71271506/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.h
[modify] https://crrev.com/d9341c818db0c3f07aba8ad98e51eeeb71271506/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp

Comment 8 by jww@chromium.org, Jun 3 2016

Status: Fixed (was: Assigned)
Project Member

Comment 9 by bugdroid1@chromium.org, Jun 6 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/cb18719cbfb2652bd1f0c89ff2b43fc431d9a3a7

commit cb18719cbfb2652bd1f0c89ff2b43fc431d9a3a7
Author: mkwst <mkwst@chromium.org>
Date: Mon Jun 06 15:57:30 2016

Refactor nonce support to correctly handle report-only policy.

In order to correctly handle report-only, we need to stop thinking of
nonces as a one-time bypass in 'ScriptLoader', and start thinking of it
as an ongoing check associated with a request (as it's specced in
https://w3c.github.io/webappsec-csp/#script-src-algorithms). This patch
moves nonce checking into 'FrameFetchContext::canRequest' by attaching
it to 'ResourceLoaderOptions', and using that new data inside the
'ContentSecurityPolicy::allow*' checks to ensure that each active policy
gets a crack at reporting violations.

To prevent regression, this patch adds a number of unit tests, moves
the existing nonce layout tests to a separate directory, and adds a
few layout tests as well.

BUG= 614416 , 611652 ,614802

Review-Url: https://codereview.chromium.org/2020223002
Cr-Commit-Position: refs/heads/master@{#398036}

[add] https://crrev.com/cb18719cbfb2652bd1f0c89ff2b43fc431d9a3a7/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/script-enforce-allowed.php
[add] https://crrev.com/cb18719cbfb2652bd1f0c89ff2b43fc431d9a3a7/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/script-enforce-blocked.php
[add] https://crrev.com/cb18719cbfb2652bd1f0c89ff2b43fc431d9a3a7/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/script-multiple-allowed.php
[add] https://crrev.com/cb18719cbfb2652bd1f0c89ff2b43fc431d9a3a7/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/script-multiple-blocked.php
[add] https://crrev.com/cb18719cbfb2652bd1f0c89ff2b43fc431d9a3a7/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/script-reportonly-allowed.php
[rename] https://crrev.com/cb18719cbfb2652bd1f0c89ff2b43fc431d9a3a7/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/scriptnonce-allowed-expected.txt
[rename] https://crrev.com/cb18719cbfb2652bd1f0c89ff2b43fc431d9a3a7/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/scriptnonce-allowed.html
[rename] https://crrev.com/cb18719cbfb2652bd1f0c89ff2b43fc431d9a3a7/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/scriptnonce-and-scripthash-expected.txt
[rename] https://crrev.com/cb18719cbfb2652bd1f0c89ff2b43fc431d9a3a7/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/scriptnonce-and-scripthash.html
[rename] https://crrev.com/cb18719cbfb2652bd1f0c89ff2b43fc431d9a3a7/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/scriptnonce-basic-blocked-expected.txt
[rename] https://crrev.com/cb18719cbfb2652bd1f0c89ff2b43fc431d9a3a7/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/scriptnonce-basic-blocked.html
[rename] https://crrev.com/cb18719cbfb2652bd1f0c89ff2b43fc431d9a3a7/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/scriptnonce-blocked-expected.txt
[rename] https://crrev.com/cb18719cbfb2652bd1f0c89ff2b43fc431d9a3a7/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/scriptnonce-blocked.html
[rename] https://crrev.com/cb18719cbfb2652bd1f0c89ff2b43fc431d9a3a7/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/scriptnonce-ignore-unsafeinline-expected.txt
[rename] https://crrev.com/cb18719cbfb2652bd1f0c89ff2b43fc431d9a3a7/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/scriptnonce-ignore-unsafeinline.html
[rename] https://crrev.com/cb18719cbfb2652bd1f0c89ff2b43fc431d9a3a7/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/scriptnonce-invalidnonce-expected.txt
[rename] https://crrev.com/cb18719cbfb2652bd1f0c89ff2b43fc431d9a3a7/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/scriptnonce-invalidnonce.html
[rename] https://crrev.com/cb18719cbfb2652bd1f0c89ff2b43fc431d9a3a7/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/scriptnonce-redirect-expected.txt
[rename] https://crrev.com/cb18719cbfb2652bd1f0c89ff2b43fc431d9a3a7/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/scriptnonce-redirect.html
[add] https://crrev.com/cb18719cbfb2652bd1f0c89ff2b43fc431d9a3a7/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/style-enforce-allowed.php
[add] https://crrev.com/cb18719cbfb2652bd1f0c89ff2b43fc431d9a3a7/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/style-enforce-blocked.php
[add] https://crrev.com/cb18719cbfb2652bd1f0c89ff2b43fc431d9a3a7/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/style-multiple-allowed.php
[add] https://crrev.com/cb18719cbfb2652bd1f0c89ff2b43fc431d9a3a7/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/style-multiple-blocked.php
[add] https://crrev.com/cb18719cbfb2652bd1f0c89ff2b43fc431d9a3a7/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/style-reportonly-allowed.php
[rename] https://crrev.com/cb18719cbfb2652bd1f0c89ff2b43fc431d9a3a7/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/stylenonce-allowed-expected.txt
[rename] https://crrev.com/cb18719cbfb2652bd1f0c89ff2b43fc431d9a3a7/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/stylenonce-allowed.html
[rename] https://crrev.com/cb18719cbfb2652bd1f0c89ff2b43fc431d9a3a7/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/stylenonce-basic-blocked-error-event-expected.txt
[rename] https://crrev.com/cb18719cbfb2652bd1f0c89ff2b43fc431d9a3a7/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/stylenonce-basic-blocked-error-event.html
[rename] https://crrev.com/cb18719cbfb2652bd1f0c89ff2b43fc431d9a3a7/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/stylenonce-blocked-expected.txt
[rename] https://crrev.com/cb18719cbfb2652bd1f0c89ff2b43fc431d9a3a7/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/stylenonce-blocked.html
[rename] https://crrev.com/cb18719cbfb2652bd1f0c89ff2b43fc431d9a3a7/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/stylenonce-svg-style-basic-blocked-error-event-expected.txt
[rename] https://crrev.com/cb18719cbfb2652bd1f0c89ff2b43fc431d9a3a7/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/stylenonce-svg-style-basic-blocked-error-event.html
[modify] https://crrev.com/cb18719cbfb2652bd1f0c89ff2b43fc431d9a3a7/third_party/WebKit/Source/core/core.gypi
[modify] https://crrev.com/cb18719cbfb2652bd1f0c89ff2b43fc431d9a3a7/third_party/WebKit/Source/core/dom/Element.cpp
[modify] https://crrev.com/cb18719cbfb2652bd1f0c89ff2b43fc431d9a3a7/third_party/WebKit/Source/core/dom/ScriptLoader.cpp
[modify] https://crrev.com/cb18719cbfb2652bd1f0c89ff2b43fc431d9a3a7/third_party/WebKit/Source/core/dom/StyleElement.cpp
[modify] https://crrev.com/cb18719cbfb2652bd1f0c89ff2b43fc431d9a3a7/third_party/WebKit/Source/core/fetch/FetchRequest.h
[modify] https://crrev.com/cb18719cbfb2652bd1f0c89ff2b43fc431d9a3a7/third_party/WebKit/Source/core/fetch/ResourceLoaderOptions.h
[modify] https://crrev.com/cb18719cbfb2652bd1f0c89ff2b43fc431d9a3a7/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp
[modify] https://crrev.com/cb18719cbfb2652bd1f0c89ff2b43fc431d9a3a7/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.h
[add] https://crrev.com/cb18719cbfb2652bd1f0c89ff2b43fc431d9a3a7/third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp
[modify] https://crrev.com/cb18719cbfb2652bd1f0c89ff2b43fc431d9a3a7/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
[modify] https://crrev.com/cb18719cbfb2652bd1f0c89ff2b43fc431d9a3a7/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h
[modify] https://crrev.com/cb18719cbfb2652bd1f0c89ff2b43fc431d9a3a7/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp
[modify] https://crrev.com/cb18719cbfb2652bd1f0c89ff2b43fc431d9a3a7/third_party/WebKit/Source/core/html/HTMLLinkElement.cpp
[modify] https://crrev.com/cb18719cbfb2652bd1f0c89ff2b43fc431d9a3a7/third_party/WebKit/Source/core/loader/FrameFetchContext.cpp
[modify] https://crrev.com/cb18719cbfb2652bd1f0c89ff2b43fc431d9a3a7/third_party/WebKit/Source/core/workers/WorkerGlobalScope.cpp

Sign in to add a comment