W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2011

CSP and HTML manipulation by Internet Access Providers

From: Hendrik Brummermann <nhb_web@nexgo.de>
Date: Thu, 29 Dec 2011 03:29:56 +0100
Message-ID: <4EFBD0A4.3080507@nexgo.de>
To: public-webappsec@w3.org

there is a hidden issue with CSP and Internet Access Providers, which
manipulate the HTML code on the fly.

The largest Internet provider in Germany (Telekom) is one of them.
Telekom will sometimes rewriting the HTML code in transit to replace the
URLs of images and to embed referenced JavaScript files directly into
the HTML page.

For example the original page http://stendhalgame.org/world/online.html
does not contain any inline script. But it ends with:

<script type="text/javascript"
src="/css/jquery-00000002.js"></script><script type="text/javascript"
type="text/javascript" src="/css/00000006.js"></script></body>

If this web page is visited by a customer of German Telekom, they will
inline that script into the <head>-element in some circumstances as the
following screenshot shows:


Firefox/8.0 will therefore create the following violation report:

"csp-report": {
    "request": "GET http://stendhalgame.org/world/online.html HTTP/1.1",
    "violated-directive":"inline script base restriction",
    "script-sample":"(function($){var height=$.fn.height,widt...",

Furthermore, under the same circumstances, all image URLs are replaced
with URLs pointing to ip-addresses in the bogus block:

    "request":"GET http://stendhalgame.org/world/online.html HTTP/1.1",

    "violated-directive":"img-src http://stendhalgame.org data://*:*
stendhalgame.org arianne.sf.net arianne.sourceforge.net

While there are some reports on ISP manipulating HTML code (e. g.
http://www.zdnet.de/magazin/41515603 in German), there seems to be no
documented way for a website to prevent or even detect this manipulation.

Listening to the CSP reports is too late because those reports are
submitted after the HTML page was sent. It is not possible to use
JavaScript to query for those reports and somehow workaround the
situation because the JavaScript code already got inlined and disabled.

A motivation for the replaced image URLs might be the reduction of
transfered data as this ISP server will provide dynamically-created low
quality images. Inlining huge and cacheable JavaScript files, however,
increases the transfer volume.

TL;DR: Some providers manipulate the HTML code causing their customers
to end up with CSP violations and there seems to be no documented way
for a website to prevent this other than using CSP on https pages only.
Received on Friday, 30 December 2011 06:53:29 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:26 UTC