- From: Adam Barth <w3c@adambarth.com>
- Date: Fri, 30 Dec 2011 00:14:53 -0800
- To: Hendrik Brummermann <nhb_web@nexgo.de>
- Cc: public-webappsec@w3.org
This is really a bad practice by ISPs. We've studied these modifications in the past and found that a large fraction of them introduce cross-site scripting vulnerabilities into web pages. I'd recommend always using HTTPS if folks insist on using a man-in-the-middle attack to manipulate your content. Adam On Wed, Dec 28, 2011 at 6:29 PM, Hendrik Brummermann <nhb_web@nexgo.de> wrote: > Hi, > > there is a hidden issue with CSP and Internet Access Providers, which > manipulate the HTML code on the fly. > > The largest Internet provider in Germany (Telekom) is one of them. > Telekom will sometimes rewriting the HTML code in transit to replace the > URLs of images and to embed referenced JavaScript files directly into > the HTML page. > > For example the original page http://stendhalgame.org/world/online.html > does not contain any inline script. But it ends with: > > <script type="text/javascript" > src="/css/jquery-00000002.js"></script><script type="text/javascript" > src="/css/jquery.tooltip-merged.min.js"></script><script > type="text/javascript" src="/css/00000006.js"></script></body> > </html> > > If this web page is visited by a customer of German Telekom, they will > inline that script into the <head>-element in some circumstances as the > following screenshot shows: > > http://img716.imageshack.us/img716/8348/screenshothtmlmanipulat.png > > Firefox/8.0 will therefore create the following violation report: > > { > "csp-report": { > "request": "GET http://stendhalgame.org/world/online.html HTTP/1.1", > "blocked-uri":"self", > "violated-directive":"inline script base restriction", > "source-file":"http://stendhalgame.org/world/online.html", > "script-sample":"(function($){var height=$.fn.height,widt...", > "line-number":3 > } > } > > > Furthermore, under the same circumstances, all image URLs are replaced > with URLs pointing to ip-addresses in the bogus 1.2.3.0/24 block: > > { > "csp-report":{ > "request":"GET http://stendhalgame.org/world/online.html HTTP/1.1", > > "blocked-uri":"http://1.2.3.9/bmi/stendhalgame.org/images/outfit/177094812_0_0_0_0_0.png", > "violated-directive":"img-src http://stendhalgame.org data://*:* > stendhalgame.org arianne.sf.net arianne.sourceforge.net > https://sflogo.sourceforge.net" > } > } > > > While there are some reports on ISP manipulating HTML code (e. g. > http://www.zdnet.de/magazin/41515603 in German), there seems to be no > documented way for a website to prevent or even detect this manipulation. > > Listening to the CSP reports is too late because those reports are > submitted after the HTML page was sent. It is not possible to use > JavaScript to query for those reports and somehow workaround the > situation because the JavaScript code already got inlined and disabled. > > A motivation for the replaced image URLs might be the reduction of > transfered data as this ISP server will provide dynamically-created low > quality images. Inlining huge and cacheable JavaScript files, however, > increases the transfer volume. > > TL;DR: Some providers manipulate the HTML code causing their customers > to end up with CSP violations and there seems to be no documented way > for a website to prevent this other than using CSP on https pages only. > >
Received on Friday, 30 December 2011 08:15:54 UTC