Re: [webappsec] CSP: are blob uri's really just origin='self'?


interesting !

according to :

The origin <> of a Blob
URI<> must
be the origin <> of the script that
called URL.createObjectURL<>
.. Blob URIs <> must only be valid within
this origin <>.

Things get more interesting when blobs are passed cross origin via
postMessage, for example. Gecko can't quite do this
(see but from that bug
it sounds like other browsers do support this.

In the cross origin/postMessage case especially, 'self' seems like the
wrong thing to be doing.

On first thought at least, linking blobs to 'unsafe-eval' seems like a
reasonable thing to do - as you say
the code is coming from unsafe strings...


On Fri, Aug 30, 2013 at 2:05 PM, Brad Hill <> wrote:

> I started writing CSP tests for workers, and realized that the blob:
> scheme can be used to circumvent inline-script and eval protections. You
> can grab text out of the DOM or any string, use createObjectURL() and run
> it as script, so long as 'self' is in the policy.
> Example here:
> Mozilla and Chrome both treat blob: as equivalent to 'self'.  They block
> it if it the policy disallows 'self':
> In another test, the script does the equivalent of an eval using the same
> blob construction:
> I wonder if this is the right treatment.  It seems that blob: data could
> come from anywhere, and that using it as the source of a script or worker
> is creating code from unsafe strings.  I wonder if we shouldn't link it to
> unsafe-inline, unsafe-eval, or both rather than to 'self'?  Otherwise it
> seems like an obvious bypass.
> (source at:
> :(
> -Brad

Received on Friday, 30 August 2013 21:58:16 UTC