Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Extension acts as fingerprinting beacon on strict CSP with report-uri sites #1140

Closed
ntninja opened this issue Dec 9, 2020 · 6 comments
Closed

Comments

@ntninja
Copy link

ntninja commented Dec 9, 2020

  • Browser: Firefox 84.0b8
  • Operating System: Debian
  • Stylus Version: 1.5.13

As you are aware, when CSP is deployed with strict settings for styles this prevents any use of <style> tags to apply CSS on-the-fly: All of the page's CSS must be served from a set of trusted origins specified in the policy instead. While this would only would render Stylus ineffective on such sites, CSP includes another feature that many sites use to monitor the issues caused by their CSP in the field called report-uri: Using this, a site can specify an arbitrary URL to be pinged whenever the browser detects a CSP violation. This again includes violations caused by extension scripts, like on the following example page (https://mm-csp-example.herokuapp.com/ was set up to test a related CSP issue with another extension):

{
  "csp-report": {
    "blocked-uri": "inline",
    "column-number": 42,
    "document-uri": "https://mm-csp-example.herokuapp.com/",
    "line-number": 178,
    "original-policy": "default-src 'self'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; report-uri https://mm-csp-example.herokuapp.com/report_csp",
    "referrer": "",
    "source-file": "moz-extension://8ac3dc3d-6811-4d11-a81a-2d513767fe9f/content/style-injector.js",
    "violated-directive": "style-src"
  }
}

This can even include “samples” of the blocked content, but even without that the combination of “just” the script name and line and column numbers is likely enough to unique identify every CSP violating extension in existence.

If that isn't a textbook example of a perfect fingerprinting vector based on the list of installed non-CSP-compliant extensions then I don't know. And as I've discovered today, yours is by far not the only extension causing these kinds of reports to be generated.

It appears like to only sensible option for injecting styles this way is using the Firefox-specific browser.contentScripts API. Which, while easy to use, is unfortunately not cross-browser.

This issue is strongly related to #125, but talks about the fingerprinting/info-leak aspect of the issue.

@tophf
Copy link
Member

tophf commented Dec 9, 2020

Those who are concerned about fingerprinting via CSP reports can use an extension that modifies CSP header. As of 1.5.14 Stylus has an option to patch the CSP header of sites to allow style assets so this will become even less of an issue.

@tophf tophf closed this as completed Dec 9, 2020
@tophf
Copy link
Member

tophf commented Dec 9, 2020

FWIW, a cleaner solution will be to implement #248. Also note that we can't use browser.contentScripts as it doesn't support regexp() targeting.

@ntninja
Copy link
Author

ntninja commented Dec 10, 2020

Thanks for adding an explanation on what is wrong with the approach I suggested (although its the only one that would work at document-start afaict).

(Saying „Those who are concerned about fingerprinting via CSP reports can use an extension that modifies CSP header.“ is a bit unfair though. There is a difference between finding CSP reports as such problematic (and knowing about them) and therefor disabling them, and having the browser actively leak fingerprinting data through this otherwise arguably legitimate channel because of a bug. (My personal opinion is that CSP reports themselves are mostly unproblematic, just this particular behaviour triggering extra is reports is.) It's not like $USER is expecting that installing some extension will result in this being actively reported to any website that happens to be configured accordingly in some totally unrelated way. – Not that we are in disagreement anyways, so I'll just shut up now.)

@tophf
Copy link
Member

tophf commented Dec 10, 2020

99.999% of users wouldn't care. Those who are really concerned about fingerprinting and tracking in general should be taking care of such things globally by disabling all kind of pingbacks including CSP reports so this is not our concern strictly speaking.

@tophf
Copy link
Member

tophf commented Dec 10, 2020

BTW it's Firefox's fault for not exempting style elements added by extensions. Chrome doesn't have this problem. Firefox devs either can't fix it or don't want to, I don't remember which, there's a ticket on bugzilla.

@tophf
Copy link
Member

tophf commented Jan 8, 2021

Turns out uBlock Origin can do it out of the box:
https://github.com/gorhill/uBlock/wiki/Dashboard:-Settings#block-csp-reports

This exemplifies my statement that such a feature as blocking of CSP reports shouldn't be a part of Stylus extension because there are much better tools addressing the problem. Tools mandatory for anyone who's concerned with fingerprinting/tracking.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants