Re: CSP within frame constructed with "data:" URI? from James Marshall on 2013-04-27 (public-webappsec@w3.org from April 2013)

From: James Marshall <james@jmarshall.com>
Date: Sat, 27 Apr 2013 11:42:13 -0700
To: Adam Barth <w3c@adambarth.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAGEp=f0iw98tBZzEoXYxYOP9re0A182qQ6TXLPAe3q_+FpPhbg@mail.gmail.com>

Ah, right, the scheme has to match.

This looks like a false alarm all around-- I now see that Firefox only
supports X-Content-Security-Policy: so far, and indeed, when I alter the
HTTP response below to include that, the frame is correctly blocked.  Also,
I also see that CSP is in Chrome 25 and higher, so I need to upgrade
(currently using 24).

Thanks,
James



On Sat, Apr 27, 2013 at 7:11 AM, Adam Barth <w3c@adambarth.com> wrote:

> On Fri, Apr 26, 2013 at 5:28 PM, James Marshall <james@jmarshall.com>
> wrote:
> > If a frame or iframe is constructed with a "data:" URI, is that frame's
> > content governed by the CSP of the parent document?  If not, then it
> > currently seems like a way to bypass CSP enforcement.
> >
> > For example, the HTML in this HTTP response, including the embedded
> alert(),
> > is rendered by both Firefox and Chrome:
> >
> > =============================
> > HTTP/1.1 200 OK
> > Content-Security-Policy: default-src 'none'
> > Content-Type: text/html
> >
> > <html><body>
> > <p>Before iframe.
> >
> > <iframe
> >
> src="data:text/html;charset=utf-8;base64,PGh0bWw+PGJvZHk+PHA+YmVmb3JlIHNjcmlwdDxzY3JpcHQgdHlwZT0idGV4dC9qYXZhc2NyaXB0Ij5hbGVydCgnaW4gc2NyaXB0Jyk8L3NjcmlwdD48cD5hZnRlciBzY3JpcHQ8L2JvZHk+PC9odG1sPg=="></iframe>
> >
> > <p>After iframe.
> >
> > </body></html>
> > =============================
> >
> > The data: URI decodes to "<html><body><p>before script<script
> > type="text/javascript">alert('in script')</script><p>after
> > script</body></html>" .
> >
> > Perhaps should the CSP's frame-src be required to contain 'unsafe-inline'
> > before rendering data: URIs in frame and iframe elements?
>
> The default-src 'none' directive will prevent this iframe from being
> loaded from a data URL.  You'd need to explicitly whitelist data: in
> order for it to load.  Which version of Chrome did you test with?  (If
> you're testing in Firefox, you'll need to enable support for the
> standard Content-Security-Policy header via about:config I believe.)
>
> Adam
>
>

Received on Saturday, 27 April 2013 18:42:41 UTC