VULNERABILITY DETAILS
It's possible to bypass whitelisted paths in CSP by issuing a 302 to a non-whitelisted path.

VERSION
Chrome Version: Version 54.0.2803.0 canary (64-bit)
Operating System: Windows 10 Pro 


Steps to reproduce:

1. Create a page: example.com/foo/bar/poc.php
2. poc.php will have a "Location"-header to example2.com/notwhitelisted/poc.jpg
3. Create a CSP with: "img-src example.com/foo/bar/ example2.com/foo/"
4. Create a page with the HTML <img src="https://example.com/foo/bar/poc.php"/>
5. https://example.com/foo/bar/poc.php will load from example2.com/notwhitelisted/poc.jpg

As you see above, the path "/notwhitelisted/" is not listed as valid in the CSP, still the 302 can get the image from there. If we try to show the image directly (via img src) it will not be shown!  

Full working Poc: https://headersandbox.herokuapp.com/#&content-security-policy=img-src swehack.org/img/a.php s.chloe.re/foo/test/bar/hello.jpg&html=PGltZyBzcmM9Imh0dHBzOi8vc3dlaGFjay5vcmcvaW1nL2EucGhwIi8+CjxpbWcgc3JjPSJodHRwczovL3MuY2hsb2UucmUvZm9vL2EuanBnIi8+Cg==


My thoughts: yes, "example.com/foo/bar/" is whitelisted, but it should not be allowed to control the paths of other whitelisted directives. Open redirects vulnerabilities would bypass CSP if the CSP uses paths. 


Thank you! 
 

Deleted: 8x6aF1e.png 6.9 KB

	8x6aF1e.png 6.9 KB View Download

Deleted: h5l605k.png 364 KB

	h5l605k.png 364 KB View Download