[Webkit-unassigned] [Bug 174883] New: CSP rules ignored when a page navigates to a blob URL

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=174883

            Bug ID: 174883
           Summary: CSP rules ignored when a page navigates to a blob URL
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: jparadis at salesforce.com

Created attachment 316513

  --> https://bugs.webkit.org/attachment.cgi?id=316513&action=review

A PoC where a blob type html ignores CPS from container.

A CSP-protected document can create Blob-URIs that, upon being navigated 
to, execute JavaScript on the origin domain but lose all CSP 
restrictions the origin was equipped with.

PoC attached.

Observations:
- In FF, CPS rules are respected: allow/disallow unsafe-inline, nonce, etc.
- W3C does seem to indicate that CPS should be applied:

"Note: We do all this to ensure that a page cannot bypass its policy by embedding a frame or popping up a new window containing content it controls (blob: resources, or document.write())."
https://www.w3.org/TR/CSP/#initialize-document-csp

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170727/9950f3ab/attachment.html>