W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2015

Re: CSP: Blob URLs in new windows.

From: Eduardo' Vela\ <evn@google.com>
Date: Mon, 20 Jul 2015 12:24:24 +0200
Message-ID: <CAFswPa8CUs93GvErPAyUqgHsFs4C8qBWpe1jpSn=OEtskdowxg@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
javascript:foo doesn't work, it's governed by unsafe-inline.

Test:
http://evilwebsite.com/xss.php?http_xss=content-security-policy:%20default-src%20%27none%27

Compare the links "gen_source" vs. "click". One triggers a CSP error and
the other one doesn't (one is javascript:foo the other is blob:foo).


Refused to execute JavaScript URL because it violates the following Content
Security Policy directive: "default-src 'none'". Either the 'unsafe-inline'
keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to
enable inline execution. Note also that 'script-src' was not explicitly
set, so 'default-src' is used as a fallback.




On Mon, Jul 20, 2015 at 12:20 PM, Mike West <mkwst@google.com> wrote:

> On Mon, Jul 20, 2015 at 11:57 AM, Eduardo' Vela" <Nava> <evn@google.com>
> wrote:
>
>> doesn't location='blob:foo' also work?
>>
>
> As does `window.location = 'javascript:foo';`. *shrug* If this is a bypass
> we care about we could be more agressive by tying the CSP of the document
> that created a blob to the blob in some way, and applying that policy in
> conjunction with the policy of the embedding document.
>
> -mike
>
Received on Monday, 20 July 2015 10:25:12 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:13 UTC