InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

Bug involving XHTML, CSP, and Firefox ESR

https://forums.informaction.com/viewtopic.php?t=26306

Page 1 of 1

Bug involving XHTML, CSP, and Firefox ESR

Posted: Sun Apr 25, 2021 10:46 pm
by phyzome
Viewing this page https://www.alm.website/blog/2021/04/25/v3.1-xsite (default untrusted) with Firefox 78.9.0esr I get a blank page. (The site's author, on Firefox 84 and with the site not trusted, does not see this problem.) Disabling NoScript or allowing scripts results in the page showing; disabling NoScript *and* disabling all Javascript also results in the page showing.

It seems to have something to do with CSP processing and XHTML. I get several repetitions of the following:

Code: Select all

Content Security Policy: Couldn’t process unknown directive ‘noscript-marker’
Content Security Policy: Couldn’t process unknown directive ‘script-src-elem’
Content Security Policy: Couldn’t process unknown directive ‘script-src-attr’
with one of these mixed in:

Code: Select all

XML Document: temporary replacing <html xmlns="http://www.w3.org/1999/xhtml">  with <HTML>
DocumentCSP.js:42:17
The page currently ships with the following CSP, if this is relevant:

Code: Select all

Content-Security-Policy: default-src 'none'; script-src 'self'; style-src 'self'; frame-ancestors 'self'; base-uri 'self'; form-action 'self'

Re: Bug involving XHTML, CSP, and Firefox ESR

Posted: Sun Apr 25, 2021 11:22 pm
by barbaz
I can confirm the bug in Firefox 88.0, NoScript 11.2.5rc1. Workaround is to enable the "object" capability for the site.

Re: Bug involving XHTML, CSP, and Firefox ESR

Posted: Mon Apr 26, 2021 10:38 am
by Giorgio Maone
barbaz wrote: Sun Apr 25, 2021 11:22 pm I can confirm the bug in Firefox 88.0, NoScript 11.2.5rc1. Workaround is to enable the "object" capability for the site.
Actually I canNOT reproduce it in Firefox >= 88, but I can see it in 78.10.0esr and can confirm the work-around.
Still trying to pinpoint the real culprit, though, since the temporary XHTML<->HTML node swap happens no matter what, so it doesn't seem to be it.

Re: Bug involving XHTML, CSP, and Firefox ESR

Posted: Mon Apr 26, 2021 12:42 pm
by Giorgio Maone
OK, I've found it: the application/xml content type triggered the code path to handle full page embeddings, and on ESR that cascaded to a window.stop() in order to prevent streaming media from starting (this doesn't happen for me on 88 and above, but it's time sensitive so it might depend on barbaz having a slower connection than mine).
I'm gonna fix it in 11.2.5rc2, thanks.

Re: Bug involving XHTML, CSP, and Firefox ESR

Posted: Mon Apr 26, 2021 12:55 pm
by skriptimaahinen
You might be able to trigger it by navigating (site -> about:newtab -> site). Can reproduce that way on 87.

Re: Bug involving XHTML, CSP, and Firefox ESR

Posted: Mon Apr 26, 2021 9:41 pm
by Giorgio Maone
Fixed in latest development build, thanks:
v 11.2.5rc2
============================================================
x [nscl] Minor fixes from the library
x [nscl] Fixed XHTML pages broken when served with
application/xml MIME type and no "object" capability
x [nscl] Switch early content script configuration to use
/nscl/service/DocStartInjection.js
x [nscl] Refactored ContentScriptOnce.js to the library
x Rename the "csspp0" capability to "unchecked_css"
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited