CSP Policy: Firefox VS Chrome - google-chrome

I'm trying to do a porting of an Chrome Extension to use it on Firefox.
The extension just display some informations about the Jira ticket in Github website. In Chrome it looks like:
Everything works well after change few things, except loading images from Atlassian (Jira) website.
Due to some CSP block:
Content Security Policy: The page's settings blocked the loading of a resource at https://myproject.atlassian.net/images/icons/statuses/generic.png ("img-src").
What I don't understand, is that Content-Security-Policy: img-src is supported by both Chrome & Firefox since almost 10 years. So why do they act different?
The content-security-policy header contains for img-src:
img-src
'self'
data:
github.githubassets.com
identicons.github.com
github-cloud.s3.amazonaws.com
secured-user-images.githubusercontent.com/
github-production-user-asset-6210df.s3.amazonaws.com
*.githubusercontent.com;
Full policy:
default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com objects-origin.githubusercontent.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com cdn.optimize…ithubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: github.githubassets.com identicons.github.com github-cloud.s3.amazonaws.com secured-user-images.githubusercontent.com/ github-production-user-asset-6210df.s3.amazonaws.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; worker-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/
So I understand why Firefox refuse to load it. But why Chrome do it without any problem?

Related

CSP behavior while sending Different CSP header value in different calls

I want to understand how the CSP will be applied when different REST responses in the page have different header value for CSP. We dont have any meta tag for CSP. CSP is applied only through response headers.
Lets take the scenarios of 3 APIs
GET /api/v1/users - Content-Security-Policy: default-src 'self' google.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' google.com
GET /api/v1/roles - Content-Security-Policy: default-src 'self'; script-src 'self'; img-src 'self'
GET /api/v1/permission - Content-Security-Policy: default-src 'self' google.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' google.com
In this case, what will be the CSP considered by the browser for subsequent requests?
Also, in my understanding, server sets the CSP in the response header to inform browser about what content will be allowed going forward. is that correct?
A CSP determines what resources can be loaded on a page and is only applied on pages that are rendered in the browser, typically with content type "text/html". So there is no benefit in setting it on images, scripts, styles etc.
The CSP that makes sense for an API is frame-ancestors 'none', see https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html#security-headers for an explanation.

Content Security Policy violation event is not triggered

I'm trying to setup CSP headers for my application. I have intentionally left out our CDN from font-src
and style-src directives so that violation is triggered. I can see the violations on the Chrome Dev Tools console but the request to the csp-endpoint specified in the header is not triggered. I have tried by setting the report-uri attribute but that didn't help either. I'm testing this on Chrome 84 which is supposed to support report-to directive. Is there anything I'm missing here?
Content-Security-Policy-Report-Only: default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval' www.googletagmanager.com www.google-analytics.com; style-src 'self' data: 'unsafe-inline' www.tagmanager.google.com www.fonts.googleapis.com fast.fonts.net; img-src 'self' data: www.googletagmanager.com www.google-analytics.com; form-action 'self'; font-src 'self'; connect-src 'self'; report-to csp-endpoint
Report-To: {"endpoints":[{"url":"http://localhost:8080/myapp/csp-violation-report"}],"group":"csp-endpoint","max_age":10886400}
report-to endpoints should have a secure context (actually - https:). Non-secure endpoints will be ignored.
There is some problems with resolving of localhost name, not all user agents treat it as trustworthy. The localhost should conforms to the specific (para 5) name resolution rules (pls see Let 'localhost' be localhost RFC update).
Briefly - try to use https://127.0.0.1:8080/myapp/csp-violation-report. May be a secure https: https://localhost:8080/myapp/csp-violation-report will be enough for Chrome (Chrome 84 supports the report-to directive, but Firefox - does not).

CSP setting kills site in Chrome with ERR_HTTP2_PROTOCOL_ERROR

I am adding Security Headers to my website. I am running an Nginx server.
I have used the "Content Security Policy (CSP) Generator" chrome extension to create my CSP settings.
The CSP statement added to nginx ssl.conf are:
add_header Content-Security-Policy "default-src 'self';
script-src 'report-sample' 'self' https://maps.googleapis.com/.../util.js;
style-src 'report-sample' 'self' https://code.jquery.com https://fonts.googleapis.com;
object-src 'none';
base-uri 'self';
connect-src 'self';
font-src 'self' https://fonts.gstatic.com;
frame-src 'self';
img-src 'self' data: https://code.jquery.com https://maps.gstatic.com;
manifest-src 'self';
media-src 'self';
report-uri https://???.endpoint.csper.io/;
worker-src 'none';";
The only browser these settings seems to work in is Firefox.
When I load the site in Chrome (v77.01) the site does not load. It shows the same result in Edge (Version 83.0.478.54), Safari and Opera.
I see the following info:
This site can’t be reached The webpage at https:domain.com might be temporarily down or it may have moved permanently to a new web address. ERR_HTTP2_PROTOCOL_ERROR
The ssl certificate is Lets Encrypt and is set to expire in Sept 2020.
Any advice would be greatly appreciated.
Cheers
Greg J
ok this has been fixed and as usual its really basic, feeling a bit of a douche...
Chrome browser does not like linefeeds in the CSP statement. once I made the statement a single line it worked perfectly.

Chrome shows frame-src error even if using object

i have the following Html
<object data="https://mybucket.s3-us-west-2.amazonaws.com/myfile.pdf" class="t-document-view" type="application/pdf"></object>
and the following CSP
"default-src 'none'; script-src 'self' 'nonce-{0}' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; object-src https://*.s3-us-west-2.amazonaws.com; connect-src 'self'; child-src 'self'; report-uri /csp/report;"
On all the machine with chrome browser we can view PDF without issue. However, one of our machine we are getting error
Refused to frame 'https://mybucket.s3-us-west-2.amazonaws.com/'
because it violates the following Content Security Policy directive:
"child-src 'self'". Note that 'frame-src' was not explicitly set, so
'child-src' is used as a fallback.
To get rid of the error i have temporarily added frame-src https://*.s3-us-west-2.amazonaws.com; and its working
I have already set object-src so not sure why its trying to implement frame-src policy when we are not using frame?
Google Chrome is up to date
Version 76.0.3809.132 (Official Build) (64-bit)

Opening a PDF embedded in iframe in chrome with content security policy > plugin-types

I have the CSP (Content-security-policy) plugin-types policy set to white-list pdf type as below. When trying to open a PDF file in iframe with src attribute, It is working well with browsers IE 11, and Firefox 47+ but failing in Chrome 50+. What else is required to make it working in chrome?
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; object-src 'self'; style-src 'self'; frame-src 'self' plugin-types application/pdf;
Error in chrome console
Resource interpreted as Document but transferred with MIME type application/pdf
Refused to load 'http://127.0.0.1/module123/open.do?id=10000' (MIME type '') because it violates the following Content Security Policy Directive: 'plugin-types application/pdf'. When enforcing the 'plugin-types' directive, the plugin's media type must be explicitly declared with a 'type' attribute on the containing element (e.g. '<object type="[TYPE GOES HERE]" ...>').
I had a similar problem.
To resolve the problem, I needed to add blob: to the object-src directive.
Also, I did not need to specify plugin-type.
So it would be:
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; object-src 'self' blob:; style-src 'self'; frame-src 'self';