New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 615346 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: May 2016
Cc:
mkwst@chromium.org
jww@chromium.org
est...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Unsafe javascript executed in spite of Content Security Policy

Reported by espen...@gmail.com, May 27 2016 
VULNERABILITY DETAILS
Inline script elements located at the very top of a HTML page, before the HTML start tag, are executed even if the user has explicitly blocked non-whitelisted scripts in a Content-Security-Policy meta tag in the head section.
Even if it's a very bad thing (!) to implement Content-Security-Policy in meta tags, some users may still trust http-equiv meta tags to work the same way as if the directives was given in the server header.

Generally, there should be some option to block scripts that are appended or prepended completely outside the DOM. This 'feature' effectively breaks additional security measures such as PGP signing of the HTML source to preserve the integrity of high-security static HTML pages. Malicious scripts that are injected outside the signed block can alter the displayed page content without actually breaking the PGP signature.

VERSION
Chrome Version: 50.0.2661.102 (64-bit)
Operating System: OS X El Capitan, 10.11.3 (15D21)

REPRODUCTION CASE
See attached HTML file. I expected only the second script element to execute, but the first test script at the top of the page are run as well. The third script element at the bottom is blocked as one would expect.
test.html
1.1 KB View Download

Comment 1 by mea...@chromium.org, May 27 2016

Cc: jww@chromium.org mkwst@chromium.org est...@chromium.org
Components: Internals
Labels: OS-All
Thanks for your report. There are existing bugs about CSP defined in meta tags (e.g.,  bug 166096 ), so this could be a known problem, but adding CSP experts to confirm.

Comment 2 by est...@chromium.org, May 27 2016 

This behavior is according to spec: from https://www.w3.org/TR/CSP3/#meta-element,

"Authors are strongly encouraged to place meta elements as early in the document as possible, because policies in meta elements are not applied to content which precedes them. In particular, note that resources fetched or prefetched using the Link HTTP response header field, and resources fetched or prefetched using link and script elements which precede a meta-delivered policy will not be blocked."

Comment 3 by mea...@chromium.org, May 27 2016

Labels: -Restrict-View-SecurityTeam
Status: WontFix (was: Unconfirmed)
estark: Thanks for confirming.

Closing since this is working as intended.
Project Member

Comment 4 by sheriffbot@chromium.org, Oct 1 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 5 by sheriffbot@chromium.org, Oct 2 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 6 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Sign in to add a comment