Page 1 of 1
Bug: interaction between noscript and csp
Posted: Sun Dec 25, 2011 5:31 pm
by BruceBerry
Hi,
NoScript 2.2.4 triggers a csp violation on pages that disable inline scripts using the X-Content-Security-Policy header.
It seems that CSP considers the following NoScript-provided snippet as an inline script executed in the context of the csp-enabled page and denies the execution attempt.
Code: Select all
try{
window.toStaticHTML = function toStaticHTML(s) {
var t = document.createElement("toStaticHTML");
t.setAttribute("data-source", s);
document.documentElement.appendChild(t);
var ev = document.createEvent("Events");
ev.initEvent("NoScript:toStaticHTML", true, false);
t.dispatchEvent(ev);
return t.innerHTML;
}
} catch(e){
}
Any header value that does not enable inline scripts should do, e.g. allow 'self'.
In php, you can create a test page with
Code: Select all
<?php header("X-Content-Security-Policy: allow 'self'"); ?>
I believe you need to tell noscript to execute scripts on the domain hosting the test page or the script will be stopped before the actual CSP check.
For completeness, here is the full CSP report:
Code: Select all
CSP debug: Constructed violation report:
{"csp-report":{"request":"GET http://localhost/spiderTest/csp.php HTTP/1.1","blocked-uri":"self","violated-directive":"inline script base restriction","source-file":"http://localhost/spiderTest/csp.php","script-sample":"try{window.toStaticHTML = function toSta..."}}
Re: Bug: interaction between noscript and csp
Posted: Sun Jan 08, 2012 9:51 am
by Tom T.
I'm sorry that this has been unanswered for two weeks. Unfortunately,
Giorgio is relatively unavailable until the completion of his relocation and connection to his new ISP. Still, I'll PM him and ask him to look at this whenever he's able. He is the only one who can actually change NoScript coding.
By the way, have you tried latest NS, 2.2.5, just in case there is a difference?
Thank you for your patience.
Re: Bug: interaction between noscript and csp
Posted: Tue Jan 10, 2012 2:22 am
by GµårÐïåñ
Hmmm....I thought this was resolved already and should have been implemented in the new version, did it somehow regress or break?
Re: Bug: interaction between noscript and csp
Posted: Mon Jan 23, 2012 3:56 am
by BruceBerry
Sorry for the long delay... unlike Giorgio, I have no excuse
I just verified it with 2.2.7 and the bug is still there.
Re: Bug: interaction between noscript and csp
Posted: Mon Jan 23, 2012 4:01 am
by Tom T.
BruceBerry wrote:Sorry for the long delay... unlike Giorgio, I have no excuse
I just verified it with 2.2.7 and the bug is still there.
JOC, have you tried reproducing this with a supported stable release of Fx, currently 9.01?
It could be a bug in the alpha build that you're using. Might as well eliminate - or confirm -- that.
If it is, then MZ will surely want to know about it. Thanks.
Re: Bug: interaction between noscript and csp
Posted: Mon Jan 23, 2012 4:09 am
by BruceBerry
Confirmed for 9.0.1
Re: Bug: interaction between noscript and csp
Posted: Mon Jan 23, 2012 6:44 am
by Tom T.
BruceBerry wrote:Confirmed for 9.0.1
Thanks.
Per
GµårÐïåñ's comment, I searched the
changelog for "csp", "content security policy", and other variations, and came up empty.
Ball in
Giorgio's court, unless
GµårÐïåñ can find the previous fix, compare to current version, and send it to Giorgio to include in next dev or release.
Re: Bug: interaction between noscript and csp
Posted: Thu Jan 26, 2012 6:26 am
by GµårÐïåñ
It was outside of the public scope of the forum but it was discussed, a workaround was proposed and implemented relating to a bug in Fx core but it may have been contraindicated based on a patch or a fix or an attempted something by Fx. Who knows, I will let Giorgio deal with it when he can.
Re: Bug: interaction between noscript and csp
Posted: Thu Jan 26, 2012 6:48 am
by Tom T.
GµårÐïåñ wrote:It was outside of the public scope of the forum but it was discussed, a workaround was proposed and implemented relating to a bug in Fx core but it may have been contraindicated based on a patch or a fix or an attempted something by Fx. Who knows, I will let Giorgio deal with it when he can.
Thank you, my friend.
Since it sounds like you were part of that private discussion (I may be wrong), could you perhaps contact Giorgio and see whether it's now possible to fix, for the newer Fx versions? Or if still not possible due to Fx bug, I'm sure OP would like to know that. And whether there's an open Bugzilla report on it.
Thanks again.
Re: Bug: interaction between noscript and csp
Posted: Thu Jan 26, 2012 8:32 am
by GµårÐïåñ
If I get a chance to find the Bug Report # or the private emails and sanitize them, I will post them but in the meantime, I will give Giorgio a holler and see what he can add.
Re: Bug: interaction between noscript and csp
Posted: Thu Jan 26, 2012 10:37 am
by Giorgio Maone
This is due to the way NoScript injects surrogates and other content scripts in top level pages (i.e. by using inline script elements).
This choice was made because the "better" way (which would work around this problem), i.e. using Components.utils.Sandbox, leaked badly due to a rather elusive Firefox bug.
I'm gonna re-evaluate that method, hoping they fixed the bug in the meanwhile (they should, since it affects most if not all the SDK add-ons out there).
Re: Bug: interaction between noscript and csp
Posted: Sat Feb 04, 2012 11:44 am
by Giorgio Maone
Please check
latest development build 2.2.9rc2, thanks.