- From: Brad Hill <hillbrad@gmail.com>
- Date: Fri, 30 Aug 2013 14:05:32 -0700
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAEeYn8g3Y2rDS-1f5x+hJRnGms9n=KxwzTXONmaWGmGEFyd5aw@mail.gmail.com>
I started writing CSP tests for workers, and realized that the blob: scheme can be used to circumvent inline-script and eval protections. You can grab text out of the DOM or any string, use createObjectURL() and run it as script, so long as 'self' is in the policy. Example here: http://webappsec-test.info/web-platform-tests/CSP/script-src/CSP_1_11.php Mozilla and Chrome both treat blob: as equivalent to 'self'. They block it if it the policy disallows 'self': http://webappsec-test.info/web-platform-tests/CSP/script-src/CSP_1_11_1.php In another test, the script does the equivalent of an eval using the same blob construction: http://webappsec-test.info/web-platform-tests/CSP/script-src/CSP_1_11_2.php I wonder if this is the right treatment. It seems that blob: data could come from anywhere, and that using it as the source of a script or worker is creating code from unsafe strings. I wonder if we shouldn't link it to unsafe-inline, unsafe-eval, or both rather than to 'self'? Otherwise it seems like an obvious bypass. (source at: https://github.com/hillbrad/CSP/) :( -Brad
Received on Friday, 30 August 2013 21:06:00 UTC