Page 1 of 1

Unable to create a new ProtonMail (protonmail.com) account using the PaleMoon browser.

Posted: 2021-04-17, 10:14
by ProtonMail
Hello,

I am contacting you on behalf of ProtonMail - the secure email provider (www.protonmail.com).

We have received multiple reports where people who wish to create a ProtonMail account using the PaleMoon browser are unable to do so. The CAPTCHA challenge does not appear as the loading animation keeps spinning. We have successfully reproduced this behavior and it only happens when using the PaleMoon browser.

Steps to reproduce:
-Go to protonmail.com
-Click on the Sign Up button
-Open and select the Free Plan
-Fill in the necessary information
-Click Create account
-In the next verification step, the CAPTCHA option won't load

Screenshot of the behavior:
image (5).png
The same happens on our beta version (beta.protonmail.com)
image (6).png
We suspect that nonce processing is not working as it should.

Any help regarding this problem would be much appreciated and thank you for your time.

Best Regards,
The ProtonMail team.

Re: Unable to create a new ProtonMail (protonmail.com) account using the PaleMoon browser.

Posted: 2021-04-17, 11:44
by Moonchild
I investigated and the problem seems to be that the iframe you are loading has script tags in both the head and the body; only the script block in the body has a nonce. The script in the head is blocked as a result of your CSP since

Code: Select all

src="https://www.google.com/recaptcha/api.js?onload=loadCaptcha&render=explicit"
is not allowed by CSP

Code: Select all

“script-src https://mail-api.protonmail.com 'unsafe-eval' 'nonce-YHrGr+xFAEGutbsQYgbr/AAAAG0'”
In addition the body script nonce seems to be a mismatch? The nonce given in the body script tag is

Code: Select all

YHrHfb1icF1AqbrbEYLRKwAAANk

Re: Unable to create a new ProtonMail (protonmail.com) account using the PaleMoon browser.

Posted: 2021-04-19, 15:11
by mmso_
The page creates the script tag with https://www.google.com/recaptcha/api.js ... r=explicit and sets the nonce attribute on the script tag with the nonce value returned by the CSP policy before injecting it into the head.

No the google.com recaptcha script is not allowed according to the script-src directive, but the nonce is.

In addition, I don't see the mismatch you are mentioning.
Screenshot 2021-04-19 at 17.11.20.png
You can reproduce this by opening:

https://mail-api.protonmail.com/core/v4 ... ken=signup

Let me know if you need anything else!

Re: Unable to create a new ProtonMail (protonmail.com) account using the PaleMoon browser.

Posted: 2021-04-19, 15:53
by Moonchild
Here's the CSP of the request:

Code: Select all

default-src 'self'; script-src 'self' 'unsafe-eval' 'nonce-YH2l2oYhJ62Xmp4Qz0Bs1QAAAJQ'; style-src 'self' 'nonce-YH2l2oYhJ62Xmp4Qz0Bs1QAAAJQ'; frame-src https://www.google.com/recaptcha/; report-uri https://reports.protonmail.ch/reports/csp;
Here's the console output.

Code: Select all

17:46:34.702 Content Security Policy: The page’s settings blocked the loading of a resource at https://www.google.com/recaptcha/api.js?onload=loadCaptcha&render=explicit (“script-src https://mail-api.protonmail.com 'unsafe-eval' 'nonce-YH2l2oYhJ62Xmp4Qz0Bs1QAAAJQ'”). 1 (unknown)
Only the BODY script has a nonce and is inline:

Code: Select all

<script nonce="YH2l2oYhJ62Xmp4Qz0Bs1QAAAJQ">
...
</script>
(and yes there is no mismatch there in the nonce, i'm not sure why I saw one when I investigated last time)

but the blocked script (mentioned in the console) is in the HEAD and that script does not have a nonce.

Code: Select all

<script type="text/javascript" src="https://www.google.com/recaptcha/api.js?onload=loadCaptcha&render=explicit"></script>
I'm assuming that script is necessary for the CAPTCHA to be drawn. It is blocked by the policy you have on that page.

Re: Unable to create a new ProtonMail (protonmail.com) account using the PaleMoon browser.

Posted: 2021-04-19, 16:06
by mmso_
Please take a look at the screenshot I included. I have highlighted the script tag in the head and show the nonce attribute of it. You can clearly see it is the same as the script tag in the body.

Re: Unable to create a new ProtonMail (protonmail.com) account using the PaleMoon browser.

Posted: 2021-04-19, 16:15
by mmso_
Nonce attributes set like this are hidden (in case you are wondering why you don't see it in clear-text https://github.com/whatwg/html/issues/2369)

Re: Unable to create a new ProtonMail (protonmail.com) account using the PaleMoon browser.

Posted: 2021-04-19, 19:07
by Moonchild
Oh, I see. So you're (or rather Google is..? I guess their UA sniffing discrimination in recaptcha wasn't good enough) using a Chrome experiment-pushed-spec to hide nonces (squirrelling them away in DOM node properties instead of element/DOM attributes) that are in fact pointless to hide in the first place.

EDIT: I did notice one issue with our implementation that may cause this practical problem; Mozilla devs forgot to add the IDL interface entries for nonces when adding them to CSP as DOM attributes which means they would not be accessible everywhere; yet another half-implementation we inherited. I'm thinking that would at least allow this captcha to succeed if added.