Lack of HTTP Security Headers in 500 HTTP response when JWT for error parameter is corrupted

[claudijd]

I was doing some testing on the SSO dashboard and was playing with corrupting the JWT passed into the /forbidden?error=JWT_PLACEHOLDER on sso dashboard and noticed that when I corrupt the JWT (simply by deleting a trailing piece of it) I can generate a 500 response, which seems appropriate, but I noted that that 500 response does not contain the relevant HTTP Security Headers, like CSP headers. This could be used as a future by an attacker if say the 500 page became configurable and accepted user input to display a richer response to the user or in some other similar chained vulnerability to exploit the dashboard.

REQUEST
GET /forbidden?error=REDACTED(original, with a trailing piece deleted)&state=REDACTED HTTP/1.1
Host: sso.mozilla.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://github.com/
Connection: close
Cookie: _ga=GA1.3.225014566.1530649067
Upgrade-Insecure-Requests: 1

RESPONSE
HTTP/1.1 500 Internal Server Error
Server: nginx/1.15.10
Date: Tue, 16 Apr 2019 13:52:59 GMT
Content-Type: text/html
Content-Length: 141
Connection: close
Strict-Transport-Security: max-age=15724800; includeSubDomains

<title>Internal Server Error</title>

Internal Server Error

Recommendation: All pages should serve relevant security headers.