Noscript and Content-Security-Policy rules

[AlexR]

It seems that Firefox implementation of Content-Security-Policy rules allows webmasters to block NoScript resources (or something along these lines)

I have noticed this during debugging my webpage (which uses CSP rules to prohibit number of things, including "data:" URIs).

I have following in my .htaccess file:

Code: Select all

Header set Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' http://www.gravatar.com;"
Header set X-Content-Type-Options "nosniff"
AddDefaultCharset UTF-8

Here is the page source:

Code: Select all

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>All issues</title>
<style>
body { background-image:url(bg.gif);background-repeat:repeat-y;background-position:center top; } 
</style>
</head>
<body>
<div class="fouc-protection" style="display: none;">
<table>
<tr>
<th class="col-date">Date</th> <th class="col-id">Description</th> <th class="col-ip">Sender IP</th><th class="col-uid">UID</th>
</tr>
<tr><td colspan="4"><p class="no_content">No reports</p></td></tr></table>
</div>
<link rel="stylesheet" media="screen" href="/style.css">
</body>
</html>

Firefox emits the following in browser console:

Code: Select all

Protocol error (unknownError): Failed to open input source 'data:text/css;charset=utf8,body%3Anot(%5Bid%5D)%20%7B%20cursor%3A%20auto%20!important%20%7D%20.__noscriptOpaqued__%20%7B%20opacity%3A%201%20!important%3B%20visibility%3A%20visible%3B%20filter%3A%20none%20!important%20%7D%20iframe.__noscriptOpaqued__%20%7B%20display%3A%20block%20!important%3B%20%7D%20object.__noscriptOpaqued__%2C%20embed.__noscriptOpaqued__%20%7B%20display%3A%20inline%20!important%20%7D%20.__noscriptJustOpaqued__%20%7B%20opacity%3A%201%20!important%20%7D%20.__noscriptScrolling__%20%7B%20overflow%3A%20auto%20!important%3B%20min-width%3A%2052px%20!important%3B%20min-height%3A%2052px%20!important%20%7D%20.__noscriptNoScrolling__%20%7B%20overflow%3A%20hidden%20!important%20%7D%20.__noscriptHidden__%20%7B%20visibility%3A%20hidden%20!important%20%7D%20.__noscriptBlank__%20%7B%20background-color%3A%20white%20!important%3B%20color%3A%20white%20!important%3B%20border-color%3A%20white%20!important%3B%20background-image%3A%20none%20!important%20%7D'

And following in page log:

Code: Select all

Content Security Policy: The page’s settings blocked the loading of a resource at data:text/css;charset=utf8,body%3Anot(%5... (“style-src http://xfd.sourceforge.net 'unsafe-inline'”).  (unknown)

So it seems, that specifically composed CSP rule, supplied by site author, can effectively cripple "data:" URIs and block NoScript from loading it's stuff (and possibly block other stuff from other extensions etc).

Either there is something wrong with the way NoScript loads it's surrogates, or the CSP implementation in Firefox is broken and needs to be fixed.

[Thrawn]

My initial impression is that what's most likely being blocked is the 'blocked embedded objects' placeholder. Would that apply to your site?

[barbaz]

That CSS includes part of ClearClick (cursorjacking protection), which would apply to nearly every site.

[AlexR]

There are no embedded objects on my site (but I suspect, that the rule would block the placeholder too, if any existed).