New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 663049 link

Starred by 1 user
Status: WontFix
Owner:
dgozman@chromium.org
Closed: Dec 2016
Cc:
mkwst@chromium.org
lukasza@chromium.org
pfeldman@chromium.org
dgozman@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug-Security

Blocking:
issue 661126



Sign in to add a comment

sourceMappingURL should be blockable by one of CSP directives

Project Member Reported by lukasza@chromium.org, Nov 7 2016 
Today
  <script nonce="mytestnonce">
  //# sourceMappingURL=http://localhost:8080/resources/dummy.txt
  </script>
will be fetched if
  1. devtools is opened
  2. nonce matches (or the inline script is allowed via other means - i.e. via digest matching or via )

EXPECTED BEHAVIOR: There should be a 3rd condition above - CSP should allow the fetch (unclear if this should go via script-src and/or connect-src?)

ACTUAL BEHAVIOR: CSP cannot be used to block the sourceMappingURL fetch

Comment 1 by lukasza@chromium.org, Nov 7 2016 

Given the fact that having devtools opened is a prerequisite for the fetch, I would personally lean toward treating this bug as low priority (maybe even resolving as WontFix).  OTOH, maybe we should add a browser test that verifies (via monitoring of embedded test server) that the fetch doesn't take place without devtools opened.

Preventing the fetch might be difficult:

- On the renderer side, the fetch is initiated from devtools javascript (and it seems difficult to consult CSP from javascript)

- On the browser side, the fetch is handled low in the stack - not sure if browser-side CSP processing might help block the fetch

#2 0x7f7978b5b749 net::URLFetcherCore::Start()
#3 0x7f7978b6f790 net::URLFetcherImpl::Start()
#4 0x7f797fdaeff3 DevToolsUIBindings::LoadNetworkResource()
(this is handling DevToolsHostMsg_DispatchOnEmbedder IPC).

Comment 2 by lukasza@chromium.org, Nov 7 2016

Cc: dgozman@chromium.org pfeldman@chromium.org
Components: Platform>DevTools Blink>SecurityFeature

Comment 3 by lukasza@chromium.org, Nov 7 2016

Owner: dgozman@chromium.org
Status: Assigned (was: Available)
dgozman@:

Would you be able to suggest how to hook up DevTools to CSP checks (i.e. calls to blink::ContentSecurityPolicy::allowConnectToSource method) so that DevTools won't fetch sourceMappingURL if the URI is blocked by CSP.

Would you be able to confirm that sourceMappingURL will not be fetched unless DevTools is opened?

Comment 4 by nparker@chromium.org, Nov 7 2016

Labels: Security_Severity-Low Security_Impact-Stable OS-All
Project Member

Comment 5 by sheriffbot@chromium.org, Nov 8 2016

Labels: -Pri-3 Pri-2

Comment 6 by dgozman@chromium.org, Nov 8 2016 

I am not sure we should do anything in this case. It's not the page which fetches source map, it's DevTools which we trust.
What is the usecase for restricting source map from being fetched?

Comment 7 by dgozman@chromium.org, Dec 1 2016

Status: WontFix (was: Assigned)
Closing per lack of feedback.
Project Member

Comment 8 by sheriffbot@chromium.org, Mar 10 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment