- From: Sid Stamm <sid@mozilla.com>
- Date: Thu, 20 Jan 2011 14:59:49 -0800
- To: Michal Zalewski <lcamtuf@coredump.cx>
- CC: Brandon Sterne <bsterne@mozilla.com>, Adam Barth <w3c@adambarth.com>, public-web-security@w3.org, Lucas Adamski <ladamski@mozilla.com>
On 1/20/11 2:49 p, Michal Zalewski wrote:
> So, if origin-wide script inclusion is permitted, I can probably inject this:
>
> <script src="http://allowed_origin/nonexistent/path/{alert(1)}"></script>
>
> ...and have my payload execute under CSP and under Adam's proposal. In
> browsers that don't support E4X, this is probably also exploitable in
> many cases, especially with text/plain responses, hosted files, etc -
> just marginally harder.
>
> This can be fixed by strictly enforcing Content-Type.
https://wiki.mozilla.org/Security/CSP/Specification#No_inline_scripts_will_execute
"User Agents MUST NOT block:
" * Scripts imported from external files whose sources are allowed by
the protected document's policy AND are served with a Content-Type of
application/javascript or application/json. "
We should probably make it clearer, but I think we intended to strictly
enforce content type for script elements: scripts can only be loaded
from an external file of the right content-type, and must be served from
a whitelisted origin.
The other case you present is indeed more problematic.
-Sid
Received on Saturday, 22 January 2011 07:06:44 UTC