0
votes

The Content Security Policy was recently implemented in our software though because it was immediately interfering with some client websites we removed it (obviously obfuscated):

header('Content-Security-Policy: [...]');

After removing the header and while using Waterfox 56 (Firefox 65 and Chrome 72 immediately start working; Waterfox 56 has a new profile) the following errors appear in the console regardless of the fact that absolutely no single request has Content-Security-Policy set!

  • Content Security Policy: Couldn’t parse invalid host 'report-sample' (unknown)
  • Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified (unknown)
  • Content Security Policy: This site (https://[...]) has a Report-Only policy without a report URI. CSP will not block and cannot report violations of this policy. (unknown)
  • Content Security Policy: The page’s settings observed the loading of a resource at blob: [...]. A CSP report is being sent. (unknown)
  • Content Security Policy: Ignoring “'unsafe-inline'” within script-src: ‘strict-dynamic’ specified (unknown)
  • Content Security Policy: Ignoring “https:” within script-src: ‘strict-dynamic’ specified (unknown)
  • Content Security Policy: Ignoring “http:” within script-src: ‘strict-dynamic’ specified

Process of elimination:

  • Cache disabled in Waterfox 56, problem still occurs.
  • Firefox 65 and Chrome 72 immediately start working when header is disabled at our server.
  • Utterly verified that our server does not respond with the header even for miscellaneous files.
  • Rejected resources are from Google Calendar API, they have a header set though same requests on different browsers yield different result hence we feel the problem is with Waterfox.

I imagine that the header is cached somehow...which is ridiculous as we always have cache disabled for development purposes unless we're explicitly working with cache. The only other known potential factor is that the requests are related to the Google Calendar API and the response headers. There is one request with the content-security-policy script-src 'nonce-SHP3iUMj779E…self';report-uri /o/cspreport header set: https://accounts.google.com/o/oauth2/iframe. However how would this effect our client's website where the content is being displayed?


A new profile for Waterfox was created and the request with that new profile that did work. The following is the only error that is only present in the "buggy" Waterfox profile:

Content Security Policy: The page’s settings observed the loading of a resource at blob:https://content.googleapis.com/4bafd6e0-ea6f-43b2-9b43-690cbcd6b691 (“script-src 'nonce-dxS2ZXb0sYV7IpK+nhCm6w' 'unsafe-inline'”). A CSP report is being sent. (unknown)

The obfuscated URL where the CSP is set:

https://accounts.google.com/o/oauth2/iframe#origin=https://www.example.com&rpcToken=123.456

The CSP of that URL:

script-src 'nonce-tdC4gM1/O5jBKPO3TfdC9w' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri /o/cspreport

Why is Google triggering this error just for that instance of Waterfox? I've cleared all cookies, storage, etc. I will continue to try to narrow down which profile file is causing the issue.


The Waterfox profile's prefs.js file is the source file that when copied to the new profile's directory corrupts the request. I'm going to reconstruct the file in chunks the same way I copied, tested and repeated and luckily this is not a binary file.

1

1 Answers

0
votes

The following file and line broke Google Calendar's API and triggered the content Security Policy to error out enough to fail the request:

File: AppData\Roaming\Waterfox\Profiles\56.0\prefs.js:

user_pref("network.cookie.cookieBehavior", 1);

The network.cookie.cookieBehavior setting is described as how third party cookies are handled. Chris Pederick's Web Developer toolbar (XUL) is installed and third party cookies were disabled under the Cookies menu. Enabling/disabling them fixed/relapsed the problem.