[Webkit-unassigned] [Bug 156106] New: CSP: Allow bookmark JavaScript to bypass restrictions
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Apr 1 03:53:25 PDT 2016
https://bugs.webkit.org/show_bug.cgi?id=156106
Bug ID: 156106
Summary: CSP: Allow bookmark JavaScript to bypass restrictions
Classification: Unclassified
Product: WebKit
Version: Safari 9
Hardware: iOS
OS: iOS 9.3
Status: NEW
Severity: Normal
Priority: P2
Component: HTML Events
Assignee: webkit-unassigned at lists.webkit.org
Reporter: craig+webkit at craigfrancis.co.uk
JavaScript running from a bookmark (aka a "bookmarklet"), is run within the origin of the website you are looking at, so any CSP restrictions are applied to it as well.
It could be argued that the end user should be able to bypass any CSP restrictions, as they own and control the device (CSP is not used by the website to stop the end user from doing something to the page).
The same is true of extensions, which typically can bypass CSP restrictions (much to the annoyance of website owners).
---
For example, if a website was to issue the CSP header:
Content-Security-Policy: connect-src 'self';
Then the following bookmark JS, used to pass the current URL to a "todo" website, would be blocked.
javascript:(function(){
var l=window.prompt('Todo note:');
if (l===null) return;
if (l=='') l=document.title;
var r=new XMLHttpRequest();
var t=new Date().getTime();
var n=document.title+"\n\n"+window.location.href.trim();
var u='https://www.example.com/add/?label='+encodeURIComponent(l)+'¬es='+encodeURIComponent(n)+'&time='+encodeURIComponent(t);
r.open('GET', u, true);
r.withCredentials = true;
r.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
r.onload = function() {
var d = JSON.parse(r.responseText);
if (d.success) {
alert('Added todo item');
} else {
alert('Cannot add todo item: ' + d.error_message);
r.onerror();
}
};
r.onerror = function() {
alert('Error submitting note, will try directly...');
window.location = u;
};
r.send();
})();
Or in compressed form:
javascript:(function()%7B%20var%20l=window.prompt('Todo%20note:');%20if%20(l===null)%20return;%20if%20(l=='')%20l=document.title;%20var%20r=new%20XMLHttpRequest();%20var%20t=new%20Date().getTime();%20var%20n=document.title+%22%5Cn%5Cn%22+window.location.href.trim();%20var%20u='https://www.example.com/add/?label='+encodeURIComponent(l)+'¬es='+encodeURIComponent(n)+'&time='+encodeURIComponent(t);%20r.open('GET',%20u,%20true);%20r.withCredentials%20=%20true;%20r.setRequestHeader('Content-type',%20'application/x-www-form-urlencoded');%20r.onload%20=%20function()%20%7B%20%20%20var%20d%20=%20JSON.parse(r.responseText);%20%20%20if%20(d.success)%20%7B%20%20%20%20%20alert('Added%20todo%20item');%20%20%20%7D%20else%20%7B%20%20%20%20%20alert('Cannot%20add%20todo%20item:%20'%20+%20d.error_message);%20%20%20%20%20r.onerror();%20%20%20%7D%20%7D;%20r.onerror%20=%20function()%20%7B%20%20%20alert('Error%20submitting%20note,%20will%20try%20directly...');%20%20%20window.location%20=%20u;%20%7D;%20r.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160401/5d0aa90c/attachment.html>
More information about the webkit-unassigned
mailing list