Closed
Bug 722547
Opened 13 years ago
Closed 10 years ago
CSP can be bypassed if Content-Type is not strictly enforced, resulting in XSS
Categories
(Core :: DOM: Core & HTML, defect, P3)
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: pauljt, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: sec-moderate, testcase, Whiteboard: [sg:moderate])
Attachments
(1 file)
(deleted),
text/php
|
Details |
+++ This bug was initially created as a clone of Bug #662227 +++ Expected Result: Firefox should not load script file if it's Content-Type is not allowed by CSP spec. Actual Result: Currently (tested in 9.0.1 only) Firefox will load script file with any content-type. A page which is valid XML, and contains an XSS vulnerability, will not be protected by CSP policy of default-src 'self'. An attacker can inject XML tags to make the web page into a valid JavaScript file (due to E4X), and then include a script tag, along with arbitrary script to be executed. See attachment below for example. As a comment in the previous bug indicates, this issue is not likely to be specific to JavaScript (or just Firefox for that matter). Any content which can be simulated by malforming a HTML document is probably a risk. (Consider XML based plugin types such as Acrobat XFA or XML-based office documents being loaded in browser plugins via an object tag)
Reporter | ||
Comment 2•13 years ago
|
||
Just as an aside: this issue is already discussed somewhat publicly on the W3 webappsec mailing list. Probably no reason to keep this hidden.
![]() |
||
Updated•12 years ago
|
Keywords: sec-moderate
Comment 5•11 years ago
|
||
Can this be closed now that E4X has been removed?
Flags: needinfo?(ptheriault)
Reporter | ||
Comment 6•11 years ago
|
||
We probably should still check the content type I think. The issue is that if there is xss in a page on a domain that allows the attacker enough control over page content to make that page a valid script, a CSP of 'script-src self' will allow for the attacker to load this page as script. e4x just made this attack more likely because web pages are often well-formed xml, and thus a valid script. I don't what the HTML5 spec says though about enforcing the mime-types for script sources, and maybe it isn't good practice to special-case CSP.
Flags: needinfo?(ptheriault)
Comment 7•10 years ago
|
||
paul: do we want this fixed? How likely is this to be abused/abusable?
Flags: needinfo?(ptheriault)
Priority: -- → P3
Reporter | ||
Comment 8•10 years ago
|
||
Pretty unlikely to be abused. If you had a domain protected by a strict CSP AND there was a content injection flaw on this domain such that an attacker could massage a file to be a valid javascript, the CSP won't do anything. The idea was that if you use a CSP, then maybe we could enforce a content-type to add an additional layer of protection in this case. But with e4x gone, the chances are pretty low, and if you have such a content injection vulnerability there are probably other attacks, so maybe this should just be a wont-fix.
Flags: needinfo?(ptheriault)
Comment 9•10 years ago
|
||
Please reopen if not wontfix after all.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•