Bug: interaction between noscript and csp

[BruceBerry]

Hi,

NoScript 2.2.4 triggers a csp violation on pages that disable inline scripts using the X-Content-Security-Policy header.
It seems that CSP considers the following NoScript-provided snippet as an inline script executed in the context of the csp-enabled page and denies the execution attempt.

Code: Select all

try{
    window.toStaticHTML = function toStaticHTML(s) {
        var t = document.createElement("toStaticHTML");
        t.setAttribute("data-source", s);
        document.documentElement.appendChild(t);
        var ev = document.createEvent("Events");
        ev.initEvent("NoScript:toStaticHTML", true, false);
        t.dispatchEvent(ev);
        return t.innerHTML;        
    }
    
} catch(e){
    
}

Any header value that does not enable inline scripts should do, e.g. allow 'self'.
In php, you can create a test page with

Code: Select all

<?php header("X-Content-Security-Policy: allow 'self'"); ?>

I believe you need to tell noscript to execute scripts on the domain hosting the test page or the script will be stopped before the actual CSP check.
For completeness, here is the full CSP report:

Code: Select all

CSP debug: Constructed violation report:
{"csp-report":{"request":"GET http://localhost/spiderTest/csp.php HTTP/1.1","blocked-uri":"self","violated-directive":"inline script base restriction","source-file":"http://localhost/spiderTest/csp.php","script-sample":"try{window.toStaticHTML = function toSta..."}}

[Tom T.]

I'm sorry that this has been unanswered for two weeks. Unfortunately, Giorgio is relatively unavailable until the completion of his relocation and connection to his new ISP. Still, I'll PM him and ask him to look at this whenever he's able. He is the only one who can actually change NoScript coding.

By the way, have you tried latest NS, 2.2.5, just in case there is a difference?

Thank you for your patience.

[GµårÐïåñ]

Hmmm....I thought this was resolved already and should have been implemented in the new version, did it somehow regress or break?

[BruceBerry]

Sorry for the long delay... unlike Giorgio, I have no excuse
I just verified it with 2.2.7 and the bug is still there.

[Tom T.]

Sorry for the long delay... unlike Giorgio, I have no excuse
I just verified it with 2.2.7 and the bug is still there.

JOC, have you tried reproducing this with a supported stable release of Fx, currently 9.01?

It could be a bug in the alpha build that you're using. Might as well eliminate - or confirm -- that.
If it is, then MZ will surely want to know about it. Thanks.

[BruceBerry]

Confirmed for 9.0.1

[Tom T.]

Confirmed for 9.0.1

Thanks.

Per GµårÐïåñ's comment, I searched the changelog for "csp", "content security policy", and other variations, and came up empty.

Ball in Giorgio's court, unless GµårÐïåñ can find the previous fix, compare to current version, and send it to Giorgio to include in next dev or release.

[GµårÐïåñ]

It was outside of the public scope of the forum but it was discussed, a workaround was proposed and implemented relating to a bug in Fx core but it may have been contraindicated based on a patch or a fix or an attempted something by Fx. Who knows, I will let Giorgio deal with it when he can.

[Tom T.]

It was outside of the public scope of the forum but it was discussed, a workaround was proposed and implemented relating to a bug in Fx core but it may have been contraindicated based on a patch or a fix or an attempted something by Fx. Who knows, I will let Giorgio deal with it when he can.

Thank you, my friend.

Since it sounds like you were part of that private discussion (I may be wrong), could you perhaps contact Giorgio and see whether it's now possible to fix, for the newer Fx versions? Or if still not possible due to Fx bug, I'm sure OP would like to know that. And whether there's an open Bugzilla report on it.

Thanks again.

[GµårÐïåñ]

If I get a chance to find the Bug Report # or the private emails and sanitize them, I will post them but in the meantime, I will give Giorgio a holler and see what he can add.

[Giorgio Maone]

This is due to the way NoScript injects surrogates and other content scripts in top level pages (i.e. by using inline script elements).
This choice was made because the "better" way (which would work around this problem), i.e. using Components.utils.Sandbox, leaked badly due to a rather elusive Firefox bug.
I'm gonna re-evaluate that method, hoping they fixed the bug in the meanwhile (they should, since it affects most if not all the SDK add-ons out there).

[Giorgio Maone]

Please check latest development build 2.2.9rc2, thanks.