Validator: Process 'script-src-elem' in CSP

[erosman]

Example extension: (Version 0.6) https://addons.mozilla.org/en-US/firefox/addon/rust-search-extension/

Example (for those with access): https://reviewers.addons.mozilla.org/en-US/firefox/files/browse/3486213/file/manifest.json#top

manifest.json snippet "content_security_policy": "script-src-elem 'self' https://rust-search-extension.now.sh/crates/crates-index.js; script-src 'self'; object-src 'self'",

Validator should warn "content_security_policy" allows remote code execution in manifest.json

[wagnerand]

I don't think script-src-elem is valid in webextensions, but @rpl or @Rob--W would know better.

[Rob--W]

Firefox doesn't support script-src-elem (https://bugzilla.mozilla.org/show_bug.cgi?id=1529337), but we should add this to validator in case we do.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. If you think this bug should stay open, please comment on the issue with further details. Thank you for your contributions.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. If you think this bug should stay open, please comment on the issue with further details. Thank you for your contributions.

[Rob--W]

Support for script-src-elem and script-src-attr have landed in Firefox.

We should now bump the priority here, and ensure that the validator does not accept remote code through either of these directives.

I have filed a follow-up bug in Firefox to ensure that we have test coverage for the use of script-src-elem/script-src-attr: https://bugzilla.mozilla.org/show_bug.cgi?id=1779443

[Rob--W]

Permitted values:

• script-src-elem ‘self’ or ‘none’ (or empty) or moz-extension://own_uuid. In practice only ‘self’ should be allowed (the UUID cannot be known in advance, so it cannot be specified in manifest.json, and we don't want to allow extensions to load scripts from other extensions).

• script-src-attr ‘none’ (or empty) In practice this directive should not be specified, but if it is, it should not allow inline scripts (e.g. event attributes).

[bobsilverberg]

@Rob--W Is someone going to take this issue to work on? Also, in which release did these land?

[Rob--W]

@bobsilverberg It's currently Nightly-only (landed in 105), the bug for shipping is https://bugzilla.mozilla.org/show_bug.cgi?id=1782513

Nobody has worked on this issue so far, it will be a topic in the triage meeting tomorrow.

[Rob--W]

@rpl or @willdurand will author the patch, I will act as reviewer.

[willdurand]

We should now bump the priority here, and ensure that the validator does not accept remote code through either of these directives.

Interestingly, it seems thre linter currently only emits warnings for CSP.

[ioanarusiczki]

@willdurand @Rob--W

I tested on linter 5.18.0 and mainly with MV2 , and I get the following results:

• script-src-elem/attr with Sources, example: script-src-attr mail.example.com:443; script-src-elem 'self' http://*.example.com -> warnings are displayed

• script-src-elem/attr with none or self or empty -> there is no warning

• script-src-elem/attr with unsafe-eval -> warnings are displayed

• I tried a couple of tests with MV3, an example

• "content_security_policy": { "extension_pages": "script-src-attr mail.example.com:443; script-src-elem 'self' http://*.example.com" } -> the csp yellow warnings are displayed.

• I also used this example (took it from the pull request) "content_security_policy": "script-src-attr 'sha256-/b/HvSeUCyUL0XlV1ZK0nwDk18O2BpM5Scj+dZ1weIY='; script-src-elem ''sha256-/b/HvSeUCyUL0XlV1ZK0nwDk18O2BpM5Scj+dZ1weIY=''; object-src 'self'" -> there is no warning.

I think this should work as expected for now. but in case I did not understand it right please let me know.