Unable to create a new ProtonMail (protonmail.com) account using the PaleMoon browser.

For support with specific websites

Moderator: trava90

Forum rules
Please always mention the name/domain of the website in question in your topic title.
Post Reply
User avatar
ProtonMail
New to the forum
New to the forum
Posts: 1
Joined: 2021-04-17, 09:33

Unable to create a new ProtonMail (protonmail.com) account using the PaleMoon browser.

Post by ProtonMail » 2021-04-17, 10:14

Hello,

I am contacting you on behalf of ProtonMail - the secure email provider (www.protonmail.com).

We have received multiple reports where people who wish to create a ProtonMail account using the PaleMoon browser are unable to do so. The CAPTCHA challenge does not appear as the loading animation keeps spinning. We have successfully reproduced this behavior and it only happens when using the PaleMoon browser.

Steps to reproduce:
-Go to protonmail.com
-Click on the Sign Up button
-Open and select the Free Plan
-Fill in the necessary information
-Click Create account
-In the next verification step, the CAPTCHA option won't load

Screenshot of the behavior:
image (5).png
The same happens on our beta version (beta.protonmail.com)
image (6).png
We suspect that nonce processing is not working as it should.

Any help regarding this problem would be much appreciated and thank you for your time.

Best Regards,
The ProtonMail team.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 29947
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: Unable to create a new ProtonMail (protonmail.com) account using the PaleMoon browser.

Post by Moonchild » 2021-04-17, 11:44

I investigated and the problem seems to be that the iframe you are loading has script tags in both the head and the body; only the script block in the body has a nonce. The script in the head is blocked as a result of your CSP since

Code: Select all

src="https://www.google.com/recaptcha/api.js?onload=loadCaptcha&render=explicit"
is not allowed by CSP

Code: Select all

“script-src https://mail-api.protonmail.com 'unsafe-eval' 'nonce-YHrGr+xFAEGutbsQYgbr/AAAAG0'”
In addition the body script nonce seems to be a mismatch? The nonce given in the body script tag is

Code: Select all

YHrHfb1icF1AqbrbEYLRKwAAANk
"Son, in life you do not fight battles because you expect to win, you fight them merely because they need to be fought." -- Snagglepuss
Image

User avatar
mmso_
Newbie
Newbie
Posts: 4
Joined: 2021-02-17, 08:24

Re: Unable to create a new ProtonMail (protonmail.com) account using the PaleMoon browser.

Post by mmso_ » 2021-04-19, 15:11

The page creates the script tag with https://www.google.com/recaptcha/api.js ... r=explicit and sets the nonce attribute on the script tag with the nonce value returned by the CSP policy before injecting it into the head.

No the google.com recaptcha script is not allowed according to the script-src directive, but the nonce is.

In addition, I don't see the mismatch you are mentioning.
Screenshot 2021-04-19 at 17.11.20.png
You can reproduce this by opening:

https://mail-api.protonmail.com/core/v4 ... ken=signup

Let me know if you need anything else!

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 29947
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: Unable to create a new ProtonMail (protonmail.com) account using the PaleMoon browser.

Post by Moonchild » 2021-04-19, 15:53

Here's the CSP of the request:

Code: Select all

default-src 'self'; script-src 'self' 'unsafe-eval' 'nonce-YH2l2oYhJ62Xmp4Qz0Bs1QAAAJQ'; style-src 'self' 'nonce-YH2l2oYhJ62Xmp4Qz0Bs1QAAAJQ'; frame-src https://www.google.com/recaptcha/; report-uri https://reports.protonmail.ch/reports/csp;
Here's the console output.

Code: Select all

17:46:34.702 Content Security Policy: The page’s settings blocked the loading of a resource at https://www.google.com/recaptcha/api.js?onload=loadCaptcha&render=explicit (“script-src https://mail-api.protonmail.com 'unsafe-eval' 'nonce-YH2l2oYhJ62Xmp4Qz0Bs1QAAAJQ'”). 1 (unknown)
Only the BODY script has a nonce and is inline:

Code: Select all

<script nonce="YH2l2oYhJ62Xmp4Qz0Bs1QAAAJQ">
...
</script>
(and yes there is no mismatch there in the nonce, i'm not sure why I saw one when I investigated last time)

but the blocked script (mentioned in the console) is in the HEAD and that script does not have a nonce.

Code: Select all

<script type="text/javascript" src="https://www.google.com/recaptcha/api.js?onload=loadCaptcha&amp;render=explicit"></script>
I'm assuming that script is necessary for the CAPTCHA to be drawn. It is blocked by the policy you have on that page.
"Son, in life you do not fight battles because you expect to win, you fight them merely because they need to be fought." -- Snagglepuss
Image

User avatar
mmso_
Newbie
Newbie
Posts: 4
Joined: 2021-02-17, 08:24

Re: Unable to create a new ProtonMail (protonmail.com) account using the PaleMoon browser.

Post by mmso_ » 2021-04-19, 16:06

Please take a look at the screenshot I included. I have highlighted the script tag in the head and show the nonce attribute of it. You can clearly see it is the same as the script tag in the body.

User avatar
mmso_
Newbie
Newbie
Posts: 4
Joined: 2021-02-17, 08:24

Re: Unable to create a new ProtonMail (protonmail.com) account using the PaleMoon browser.

Post by mmso_ » 2021-04-19, 16:15

Nonce attributes set like this are hidden (in case you are wondering why you don't see it in clear-text https://github.com/whatwg/html/issues/2369)

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 29947
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: Unable to create a new ProtonMail (protonmail.com) account using the PaleMoon browser.

Post by Moonchild » 2021-04-19, 19:07

Oh, I see. So you're (or rather Google is..? I guess their UA sniffing discrimination in recaptcha wasn't good enough) using a Chrome experiment-pushed-spec to hide nonces (squirrelling them away in DOM node properties instead of element/DOM attributes) that are in fact pointless to hide in the first place.

EDIT: I did notice one issue with our implementation that may cause this practical problem; Mozilla devs forgot to add the IDL interface entries for nonces when adding them to CSP as DOM attributes which means they would not be accessible everywhere; yet another half-implementation we inherited. I'm thinking that would at least allow this captcha to succeed if added.
"Son, in life you do not fight battles because you expect to win, you fight them merely because they need to be fought." -- Snagglepuss
Image

Post Reply