- From: Hendrik Brummermann <nhb_web@nexgo.de>
- Date: Thu, 29 Dec 2011 03:29:56 +0100
- To: public-webappsec@w3.org
Hi, there is a hidden issue with CSP and Internet Access Providers, which manipulate the HTML code on the fly. The largest Internet provider in Germany (Telekom) is one of them. Telekom will sometimes rewriting the HTML code in transit to replace the URLs of images and to embed referenced JavaScript files directly into the HTML page. For example the original page http://stendhalgame.org/world/online.html does not contain any inline script. But it ends with: <script type="text/javascript" src="/css/jquery-00000002.js"></script><script type="text/javascript" src="/css/jquery.tooltip-merged.min.js"></script><script type="text/javascript" src="/css/00000006.js"></script></body> </html> If this web page is visited by a customer of German Telekom, they will inline that script into the <head>-element in some circumstances as the following screenshot shows: http://img716.imageshack.us/img716/8348/screenshothtmlmanipulat.png Firefox/8.0 will therefore create the following violation report: { "csp-report": { "request": "GET http://stendhalgame.org/world/online.html HTTP/1.1", "blocked-uri":"self", "violated-directive":"inline script base restriction", "source-file":"http://stendhalgame.org/world/online.html", "script-sample":"(function($){var height=$.fn.height,widt...", "line-number":3 } } Furthermore, under the same circumstances, all image URLs are replaced with URLs pointing to ip-addresses in the bogus 1.2.3.0/24 block: { "csp-report":{ "request":"GET http://stendhalgame.org/world/online.html HTTP/1.1", "blocked-uri":"http://1.2.3.9/bmi/stendhalgame.org/images/outfit/177094812_0_0_0_0_0.png", "violated-directive":"img-src http://stendhalgame.org data://*:* stendhalgame.org arianne.sf.net arianne.sourceforge.net https://sflogo.sourceforge.net" } } While there are some reports on ISP manipulating HTML code (e. g. http://www.zdnet.de/magazin/41515603 in German), there seems to be no documented way for a website to prevent or even detect this manipulation. Listening to the CSP reports is too late because those reports are submitted after the HTML page was sent. It is not possible to use JavaScript to query for those reports and somehow workaround the situation because the JavaScript code already got inlined and disabled. A motivation for the replaced image URLs might be the reduction of transfered data as this ISP server will provide dynamically-created low quality images. Inlining huge and cacheable JavaScript files, however, increases the transfer volume. TL;DR: Some providers manipulate the HTML code causing their customers to end up with CSP violations and there seems to be no documented way for a website to prevent this other than using CSP on https pages only.
Received on Friday, 30 December 2011 06:53:29 UTC