W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2013

[webappsec] CSP: are blob uri's really just origin='self'?

From: Brad Hill <hillbrad@gmail.com>
Date: Fri, 30 Aug 2013 14:05:32 -0700
Message-ID: <CAEeYn8g3Y2rDS-1f5x+hJRnGms9n=KxwzTXONmaWGmGEFyd5aw@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
I started writing CSP tests for workers, and realized that the blob: scheme
can be used to circumvent inline-script and eval protections. You can grab
text out of the DOM or any string, use createObjectURL() and run it as
script, so long as 'self' is in the policy.

Example here:

http://webappsec-test.info/web-platform-tests/CSP/script-src/CSP_1_11.php


Mozilla and Chrome both treat blob: as equivalent to 'self'.  They block it
if it the policy disallows 'self':

http://webappsec-test.info/web-platform-tests/CSP/script-src/CSP_1_11_1.php


In another test, the script does the equivalent of an eval using the same
blob construction:

http://webappsec-test.info/web-platform-tests/CSP/script-src/CSP_1_11_2.php

I wonder if this is the right treatment.  It seems that blob: data could
come from anywhere, and that using it as the source of a script or worker
is creating code from unsafe strings.  I wonder if we shouldn't link it to
unsafe-inline, unsafe-eval, or both rather than to 'self'?  Otherwise it
seems like an obvious bypass.

(source at: https://github.com/hillbrad/CSP/)

:(

-Brad
Received on Friday, 30 August 2013 21:06:00 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:02 UTC