- From: Eduardo' Vela\ <evn@google.com>
- Date: Mon, 20 Jul 2015 12:24:24 +0200
- To: Mike West <mkwst@google.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Received on Monday, 20 July 2015 10:25:12 UTC
javascript:foo doesn't work, it's governed by unsafe-inline.
Test:
http://evilwebsite.com/xss.php?http_xss=content-security-policy:%20default-src%20%27none%27
Compare the links "gen_source" vs. "click". One triggers a CSP error and
the other one doesn't (one is javascript:foo the other is blob:foo).
Refused to execute JavaScript URL because it violates the following Content
Security Policy directive: "default-src 'none'". Either the 'unsafe-inline'
keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to
enable inline execution. Note also that 'script-src' was not explicitly
set, so 'default-src' is used as a fallback.
On Mon, Jul 20, 2015 at 12:20 PM, Mike West <mkwst@google.com> wrote:
> On Mon, Jul 20, 2015 at 11:57 AM, Eduardo' Vela" <Nava> <evn@google.com>
> wrote:
>
>> doesn't location='blob:foo' also work?
>>
>
> As does `window.location = 'javascript:foo';`. *shrug* If this is a bypass
> we care about we could be more agressive by tying the CSP of the document
> that created a blob to the blob in some way, and applying that policy in
> conjunction with the policy of the embedding document.
>
> -mike
>
Received on Monday, 20 July 2015 10:25:12 UTC