InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

Noscript and Content-Security-Policy rules

https://forums.informaction.com/viewtopic.php?t=22880

Page 1 of 1

Noscript and Content-Security-Policy rules

Posted: Wed May 31, 2017 10:04 pm
by AlexR
It seems that Firefox implementation of Content-Security-Policy rules allows webmasters to block NoScript resources (or something along these lines)

I have noticed this during debugging my webpage (which uses CSP rules to prohibit number of things, including "data:" URIs).

I have following in my .htaccess file:

Code: Select all

Header set Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' http://www.gravatar.com;"
Header set X-Content-Type-Options "nosniff"
AddDefaultCharset UTF-8
Here is the page source:

Code: Select all

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>All issues</title>
<style>
body { background-image:url(bg.gif);background-repeat:repeat-y;background-position:center top; } 
</style>
</head>
<body>
<div class="fouc-protection" style="display: none;">
<table>
<tr>
<th class="col-date">Date</th> <th class="col-id">Description</th> <th class="col-ip">Sender IP</th><th class="col-uid">UID</th>
</tr>
<tr><td colspan="4"><p class="no_content">No reports</p></td></tr></table>
</div>
<link rel="stylesheet" media="screen" href="/style.css">
</body>
</html>
Firefox emits the following in browser console:

Code: Select all

Protocol error (unknownError): Failed to open input source 'data:text/css;charset=utf8,body%3Anot(%5Bid%5D)%20%7B%20cursor%3A%20auto%20!important%20%7D%20.__noscriptOpaqued__%20%7B%20opacity%3A%201%20!important%3B%20visibility%3A%20visible%3B%20filter%3A%20none%20!important%20%7D%20iframe.__noscriptOpaqued__%20%7B%20display%3A%20block%20!important%3B%20%7D%20object.__noscriptOpaqued__%2C%20embed.__noscriptOpaqued__%20%7B%20display%3A%20inline%20!important%20%7D%20.__noscriptJustOpaqued__%20%7B%20opacity%3A%201%20!important%20%7D%20.__noscriptScrolling__%20%7B%20overflow%3A%20auto%20!important%3B%20min-width%3A%2052px%20!important%3B%20min-height%3A%2052px%20!important%20%7D%20.__noscriptNoScrolling__%20%7B%20overflow%3A%20hidden%20!important%20%7D%20.__noscriptHidden__%20%7B%20visibility%3A%20hidden%20!important%20%7D%20.__noscriptBlank__%20%7B%20background-color%3A%20white%20!important%3B%20color%3A%20white%20!important%3B%20border-color%3A%20white%20!important%3B%20background-image%3A%20none%20!important%20%7D'
And following in page log:

Code: Select all

Content Security Policy: The page’s settings blocked the loading of a resource at data:text/css;charset=utf8,body%3Anot(%5... (“style-src http://xfd.sourceforge.net 'unsafe-inline'”).  (unknown)
So it seems, that specifically composed CSP rule, supplied by site author, can effectively cripple "data:" URIs and block NoScript from loading it's stuff (and possibly block other stuff from other extensions etc).

Either there is something wrong with the way NoScript loads it's surrogates, or the CSP implementation in Firefox is broken and needs to be fixed.

Re: Noscript and Content-Security-Policy rules

Posted: Thu Jun 01, 2017 12:49 am
by Thrawn
My initial impression is that what's most likely being blocked is the 'blocked embedded objects' placeholder. Would that apply to your site?

Re: Noscript and Content-Security-Policy rules

Posted: Thu Jun 01, 2017 1:26 am
by barbaz
That CSS includes part of ClearClick (cursorjacking protection), which would apply to nearly every site.

Re: Noscript and Content-Security-Policy rules

Posted: Thu Jun 01, 2017 2:59 am
by AlexR
There are no embedded objects on my site (but I suspect, that the rule would block the placeholder too, if any existed).
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited