Bug with NoScript and Content-Security-Policy

[imp]

No CSP report is generated when NoScript is activated and test.html (see code below) is loaded with the following CSP header: Content-Security-Policy: default-src 'self'; report-uri http ://127.0.0.1:3000 from the following url: http ://127.0.0.1:4000/test.html?default=alert(1);

test.html:

Code: Select all

<!DOCTYPE html>
<html><head></head><body></body>
	<script src="test.js"></script>
</html>

test.js:

Code: Select all

var c = document.location.href.substring(document.location.href.indexOf("default=") + 8);
var script = document.createElement('script');
script[script.innerText===undefined?"textContent":"innerText"] = c;
document.documentElement.appendChild(script);

The CSP report in firefox without NoScript:

Code: Select all

{"csp-report":{"document-uri":"http ://127.0.0.1:4000/test.html?default=alert(1);","referrer":"","violated-directive":"default-src 'self'","original-policy":"default-src 'self'; report-uri http ://127.0.0.1:3000","blocked-uri":"","source-file":"http ://127.0.0.1:4000/test.js","line-number":4,"column-number":26,"status-code":200}}

The exact same report is generated with Chromium Version 37.0.2062.120 Ubuntu 12.04 (281580) (64-bit).

This was tested with NoScript 2.6.8.43 and firefox 32.0.3 Mozilla Firefox for Ubuntu canonical - 1.0

There is an extra space added in all url's above directly after the http, this is done to not trigger the spam-filter in this forum.
If any more information is needed to reproduce this issue i will be happy to answer.

[barbaz]

http ://127.0.0.1:4000/test.html?default=alert(1);

Sincs you're using two different ports, that might be setting off the XSS filter.
When it fails, anything related in the Browser Console? (Ctrl-Shift-J)
Does it still fail if you use two different URLs on the same port?

[Giorgio Maone]

The destination of the report must be in NoScript's whitelist for the report not to be blocked.
In this case, you need 127.0.0.1:4000 to be added to the whitelist.

[imp]

The Problem is not that it is setting off the XSS filter, it is that when NoScript is installed it will interfere with the browsers normal behavior to send an CSP report to the specified report-uri when the site encounters code that violate the specified CSP header.

In this case where the CSP header is Content-Security-Policy: default-src 'self'; report-uri http ://127.0.1.1:3000 which means that the browser should enforce CSP on this site with the restrictions 'self' on all types of content and that if any of these restrictions are violated then an error report should be sent to the address specified by the report-uri In this case the report will be sent to http ://127.0.1.1:3000.

The Browser console shows that the CSP has indeed been violated:

Code: Select all

Content Security Policy: The page's settings blocked the loading of a resource: An attempt to execute inline scripts has been blocked
alert(1);

I changed the report IP to another IP to make sure that it is not connected to this issue.
The result was unchanged, when NoScript is activated the error report is not sent which it should be as we intentionally violate the CSP policy.

When running the same test without NoScript then firefox acts correctly and sends out the following error to the intended report-uri:

Code: Select all

{"csp-report":{"document-uri":"http ://127.0.0.1:4000/test.html?default=alert(1);","referrer":"","violated-directive":"default-src 'self'","original-policy":"default-src 'self'; report-uri http ://127.0.1.1:3000","blocked-uri":"","source-file":"http ://127.0.0.1:4000/test.js","line-number":4,"column-number":26,"status-code":200}}

I have set up my environment so that on IP 127.0.0.1 with port 4000 my server will serve the test.html file and the test.js file.
I have set the CSP header to report any violations to the IP 127.0.1.1 on port 3000. I'm also logging all traffic that is sent to this port so that i can verify the generated CSP reports.

[Giorgio Maone]

I have set up my environment so that on IP 127.0.0.1 with port 4000 my server will serve the test.html file and the test.js file.
I have set the CSP header to report any violations to the IP 127.0.1.1 on port 3000. I'm also logging all traffic that is sent to this port so that i can verify the generated CSP reports.

... and did you whitelist both 127.0.0.1:4000 AND 127.0.0.1:3000 in your NoScript whitelist?

N.B.: the XSS filter has nothing to do with this.

[imp]

I think I understand now, this is a intended behavior of NoScript, to block any CSP reports from being sent, and it is indeed as you say that if I add 127.0.0.1:4000 and 127.0.1.1:3000 the CSP report will be sent.

Thank you very much for clearing things up!

[Thrawn]

Hmm...Giorgio, I can't see this feature anywhere at noscript.net/changelog. What was the motivation for it?

[Giorgio Maone]

Hmm...Giorgio, I can't see this feature anywhere at noscript.net/changelog. What was the motivation for it?

We're preventing CSP reports to be used as exfiltration channel unless user trusts the 3rd party accepting the logs.