Re: XSS mitigation in browsers

On 1/20/11 2:49 p, Michal Zalewski wrote:
> So, if origin-wide script inclusion is permitted, I can probably inject this:
> 
> <script src="http://allowed_origin/nonexistent/path/{alert(1)}"></script>
> 
> ...and have my payload execute under CSP and under Adam's proposal. In
> browsers that don't support E4X, this is probably also exploitable in
> many cases, especially with text/plain responses, hosted files, etc -
> just marginally harder.
> 
> This can be fixed by strictly enforcing Content-Type.

https://wiki.mozilla.org/Security/CSP/Specification#No_inline_scripts_will_execute

"User Agents MUST NOT block:
" * Scripts imported from external files whose sources are allowed by
the protected document's policy AND are served with a Content-Type of
application/javascript or application/json. "

We should probably make it clearer, but I think we intended to strictly
enforce content type for script elements: scripts can only be loaded
from an external file of the right content-type, and must be served from
a whitelisted origin.

The other case you present is indeed more problematic.

-Sid

Received on Saturday, 22 January 2011 07:06:44 UTC