W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2013

Re: [webappsec] CSP: are blob uri's really just origin='self'?

From: Daniel Veditz <dveditz@mozilla.com>
Date: Tue, 03 Sep 2013 11:05:07 -0700
Message-ID: <522624D3.5020208@mozilla.com>
To: Brad Hill <hillbrad@gmail.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
On 8/30/2013 2:05 PM, Brad Hill wrote:
> I started writing CSP tests for workers, and realized that the blob:
> scheme can be used to circumvent inline-script and eval protections. You
> can grab text out of the DOM or any string, use createObjectURL() and
> run it as script, so long as 'self' is in the policy.

Where we go wrong is in section where matching rules allow "*"
to match all schemes. We'd be better off treating is as implied by the
syntax in 3.2.2:

According to the syntax the "*" is part of the "host" production, which
has an optional scheme part. Elsewhere in the matching rules if the
scheme is not present then the scheme must match the document's scheme;
as an exception we also allow https: to match documents which have a
http: scheme. Currently if you specify * it will match ftp, gopher, aim,
file, and anything that might get invented after the page author
specifies their policy.

-Dan Veditz

Received on Tuesday, 3 September 2013 18:05:39 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:34 UTC