CSP and HTML manipulation by Internet Access Providers from Hendrik Brummermann on 2011-12-29 (public-webappsec@w3.org from December 2011)

From: Hendrik Brummermann <nhb_web@nexgo.de>
Date: Thu, 29 Dec 2011 03:29:56 +0100
To: public-webappsec@w3.org
Message-ID: <4EFBD0A4.3080507@nexgo.de>

Hi,

there is a hidden issue with CSP and Internet Access Providers, which
manipulate the HTML code on the fly.

The largest Internet provider in Germany (Telekom) is one of them.
Telekom will sometimes rewriting the HTML code in transit to replace the
URLs of images and to embed referenced JavaScript files directly into
the HTML page.

For example the original page http://stendhalgame.org/world/online.html
does not contain any inline script. But it ends with:

<script type="text/javascript"
src="/css/jquery-00000002.js"></script><script type="text/javascript"
src="/css/jquery.tooltip-merged.min.js"></script><script
type="text/javascript" src="/css/00000006.js"></script></body>
</html>

If this web page is visited by a customer of German Telekom, they will
inline that script into the <head>-element in some circumstances as the
following screenshot shows:

http://img716.imageshack.us/img716/8348/screenshothtmlmanipulat.png

Firefox/8.0 will therefore create the following violation report:

{
"csp-report": {
    "request": "GET http://stendhalgame.org/world/online.html HTTP/1.1",
    "blocked-uri":"self",
    "violated-directive":"inline script base restriction",
    "source-file":"http://stendhalgame.org/world/online.html",
    "script-sample":"(function($){var height=$.fn.height,widt...",
    "line-number":3
}
}


Furthermore, under the same circumstances, all image URLs are replaced
with URLs pointing to ip-addresses in the bogus 1.2.3.0/24 block:

{
"csp-report":{
    "request":"GET http://stendhalgame.org/world/online.html HTTP/1.1",

"blocked-uri":"http://1.2.3.9/bmi/stendhalgame.org/images/outfit/177094812_0_0_0_0_0.png",
    "violated-directive":"img-src http://stendhalgame.org data://*:*
stendhalgame.org arianne.sf.net arianne.sourceforge.net
https://sflogo.sourceforge.net"
}
}


While there are some reports on ISP manipulating HTML code (e. g.
http://www.zdnet.de/magazin/41515603 in German), there seems to be no
documented way for a website to prevent or even detect this manipulation.

Listening to the CSP reports is too late because those reports are
submitted after the HTML page was sent. It is not possible to use
JavaScript to query for those reports and somehow workaround the
situation because the JavaScript code already got inlined and disabled.

A motivation for the replaced image URLs might be the reduction of
transfered data as this ISP server will provide dynamically-created low
quality images. Inlining huge and cacheable JavaScript files, however,
increases the transfer volume.

TL;DR: Some providers manipulate the HTML code causing their customers
to end up with CSP violations and there seems to be no documented way
for a website to prevent this other than using CSP on https pages only.

Received on Friday, 30 December 2011 06:53:29 UTC