W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2011

Re: CSP and HTML manipulation by Internet Access Providers

From: Adam Barth <w3c@adambarth.com>
Date: Fri, 30 Dec 2011 00:14:53 -0800
Message-ID: <CAJE5ia-Qsk79xpFfv4_4AUtZtf=-WV9bj9PV6bczXxPaP6mSbA@mail.gmail.com>
To: Hendrik Brummermann <nhb_web@nexgo.de>
Cc: public-webappsec@w3.org
This is really a bad practice by ISPs.  We've studied these
modifications in the past and found that a large fraction of them
introduce cross-site scripting vulnerabilities into web pages.  I'd
recommend always using HTTPS if folks insist on using a
man-in-the-middle attack to manipulate your content.

Adam


On Wed, Dec 28, 2011 at 6:29 PM, Hendrik Brummermann <nhb_web@nexgo.de> wrote:
> Hi,
>
> there is a hidden issue with CSP and Internet Access Providers, which
> manipulate the HTML code on the fly.
>
> The largest Internet provider in Germany (Telekom) is one of them.
> Telekom will sometimes rewriting the HTML code in transit to replace the
> URLs of images and to embed referenced JavaScript files directly into
> the HTML page.
>
> For example the original page http://stendhalgame.org/world/online.html
> does not contain any inline script. But it ends with:
>
> <script type="text/javascript"
> src="/css/jquery-00000002.js"></script><script type="text/javascript"
> src="/css/jquery.tooltip-merged.min.js"></script><script
> type="text/javascript" src="/css/00000006.js"></script></body>
> </html>
>
> If this web page is visited by a customer of German Telekom, they will
> inline that script into the <head>-element in some circumstances as the
> following screenshot shows:
>
> http://img716.imageshack.us/img716/8348/screenshothtmlmanipulat.png
>
> Firefox/8.0 will therefore create the following violation report:
>
> {
> "csp-report": {
>    "request": "GET http://stendhalgame.org/world/online.html HTTP/1.1",
>    "blocked-uri":"self",
>    "violated-directive":"inline script base restriction",
>    "source-file":"http://stendhalgame.org/world/online.html",
>    "script-sample":"(function($){var height=$.fn.height,widt...",
>    "line-number":3
> }
> }
>
>
> Furthermore, under the same circumstances, all image URLs are replaced
> with URLs pointing to ip-addresses in the bogus 1.2.3.0/24 block:
>
> {
> "csp-report":{
>    "request":"GET http://stendhalgame.org/world/online.html HTTP/1.1",
>
> "blocked-uri":"http://1.2.3.9/bmi/stendhalgame.org/images/outfit/177094812_0_0_0_0_0.png",
>    "violated-directive":"img-src http://stendhalgame.org data://*:*
> stendhalgame.org arianne.sf.net arianne.sourceforge.net
> https://sflogo.sourceforge.net"
> }
> }
>
>
> While there are some reports on ISP manipulating HTML code (e. g.
> http://www.zdnet.de/magazin/41515603 in German), there seems to be no
> documented way for a website to prevent or even detect this manipulation.
>
> Listening to the CSP reports is too late because those reports are
> submitted after the HTML page was sent. It is not possible to use
> JavaScript to query for those reports and somehow workaround the
> situation because the JavaScript code already got inlined and disabled.
>
> A motivation for the replaced image URLs might be the reduction of
> transfered data as this ISP server will provide dynamically-created low
> quality images. Inlining huge and cacheable JavaScript files, however,
> increases the transfer volume.
>
> TL;DR: Some providers manipulate the HTML code causing their customers
> to end up with CSP violations and there seems to be no documented way
> for a website to prevent this other than using CSP on https pages only.
>
>
Received on Friday, 30 December 2011 08:15:54 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 30 December 2011 08:15:55 GMT