[Webkit-unassigned] [Bug 174883] New: CSP rules ignored when a page navigates to a blob URL
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Jul 26 20:41:31 PDT 2017
https://bugs.webkit.org/show_bug.cgi?id=174883
Bug ID: 174883
Summary: CSP rules ignored when a page navigates to a blob URL
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: WebKit Misc.
Assignee: webkit-unassigned at lists.webkit.org
Reporter: jparadis at salesforce.com
Created attachment 316513
--> https://bugs.webkit.org/attachment.cgi?id=316513&action=review
A PoC where a blob type html ignores CPS from container.
A CSP-protected document can create Blob-URIs that, upon being navigated
to, execute JavaScript on the origin domain but lose all CSP
restrictions the origin was equipped with.
PoC attached.
Observations:
- In FF, CPS rules are respected: allow/disallow unsafe-inline, nonce, etc.
- W3C does seem to indicate that CPS should be applied:
"Note: We do all this to ensure that a page cannot bypass its policy by embedding a frame or popping up a new window containing content it controls (blob: resources, or document.write())."
https://www.w3.org/TR/CSP/#initialize-document-csp
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170727/9950f3ab/attachment.html>
More information about the webkit-unassigned
mailing list