Closed
Bug 746425
Opened 13 years ago
Closed 13 years ago
Bypass Content-Security-Policy using E4X
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 722547
People
(Reporter: yosuke.hasegawa, Unassigned)
References
()
Details
User Agent: Mozilla/5.0 (Windows NT 6.0; rv:12.0) Gecko/20100101 Firefox/12.0
Build ID: 20120411064248
Steps to reproduce:
E4X feature helps to break CSP.
HTML file is recognizable as JavaScript source with E4X feature, when no doctype or no XML declaration is given. It helps to running arbitrary js code when xss occurred, even if content is protected by Content-Security-Policy.
Actual results:
Visit following URL and raise "alert".
http://utf-8.jp/cgi-bin/csp.cgi?q=%3Cscript%20src%3d%22?q%3d%3C/div%3E%3C/body%3E%3C/html%3E;alert%281%29;%3Chtml%3E%3Cbody%3E%3Cdiv%3E%22%3E%3C/script%3E
Expected results:
Disable E4X feature for CSP protected content, or need other solution.
Reporter | ||
Updated•13 years ago
|
Comment 1•13 years ago
|
||
Why is this bug confidential? The attack surface is already public.
https://www.google.co.jp/search?q=owaspj-csp.pptx (Japanese)
FYI, you can parse HTML as JS even without E4X.
http://bakera.jp/ebi/topic/4755/comment (again Japanese)
Reporter | ||
Comment 2•13 years ago
|
||
Confidential is not unintended. my intention is to specify clearly security issue.
Although this issue is minor, It can't harm to many users, I think.
example of bypass CSP without E4X is incredibly rare case more than this issue, you know. HTML comment before meta elm is indispensable prerequisite.
Comment 3•13 years ago
|
||
What exactly is the bypass here? Haven't debugged but the CSP is "default-src 'self'" and the script tag appears to be loading itself. Is this just a duplicate of the fact that we're not checking the content-type for scripts? I don't think it's fair to blame E4X for this.
Status: UNCONFIRMED → NEW
Component: Untriaged → DOM
Ever confirmed: true
Product: Firefox → Core
QA Contact: untriaged → general
Comment 4•13 years ago
|
||
Is it possible to add "strict-mime" option to CSP? It is more fundamental and will also prevent the comment #1 attack.
BTW, let's unhide this bug for broader audience. The attack vector is already public.
Comment 5•13 years ago
|
||
Originally the default specified behavior was strict content type checking for scripts (see bug 662227), but that has dropped out of the spec. I'd much rather have default strict checking with a 'lax-content-type' option than the reverse because people aren't going to remember to use 'strict-mime'.
Group: core-security
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
Assignee | ||
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•