Issue metadata
Sign in to add a comment
|
|
||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36 Steps to reproduce the problem: PoC 1: <link rel="prefetch" href="http://linux.im/test_prefetch.jpg"> PoC 2: <link rel="prerender" href="http://linux.im"> PoC 3: <link rel="dns-prefetch" href="http://linux.im"> PoC 4: <link rel="preconnect" href="http://1.111asd1-testcsp.n0tr00t.com"> PoC 5: <link rel="preload" href="//linux.im/styles/other.css"> What is the expected behavior? Refused to load the xxxxx What went wrong? send a request Did this work before? N/A Chrome version: 54.0.2840.71 Channel: n/a OS Version: 10.0 Flash Version: Shockwave Flash 23.0 r0 Author: evi1m0 Source: http://paper.seebug.org/91/ Nov 9 2016,
CSP doesn't restrict `prefetch`, `prerender`, `dns-prefetch`, or `preconnect`. It's arguable that it should (and we're talking some of those in https://github.com/w3c/webappsec-csp/issues/107, where your opinions would certainly be appreciated). `preload` should require an `as` attribute, and apply policy accordingly. yoav@, can you take a look at whether that's happening? Nov 9 2016,preload should apply policy according to the `as` attribute. If that attribute is missing, the applied policy should be `connect-src`. Is there a test case that shows that this is not happening? Nov 9 2016, Project Member
Nov 10 2016,Attackers do not need to use the as attribute when attacking Nov 10 2016,True. Again, if that attribute is missing, the applied policy should be `connect-src`. If that's not the case, it's certainly a bug. Is this what you see? Do you have a test case that shows that? Nov 10 2016,See http://45.32.32.225/test.php Content-Security-Policy:default-src 'self'; content-src 'none'; script-src 'self' 'unsafe-inline'; It can send a request to asd11111111a1121.vqn3j8.ceye.io . Nov 10 2016,PoC: http://45.32.32.225/test2.php#<link rel=preload href=http://asd11111111a1121.vqn3j8.ceye.io/test.aaa> Nov 10 2016,
Can recreate using my own test case. Nov 11 2016,
I assume this impacts stable - let me know if I'm mistaken. Nov 15 2016, Project MemberThe following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/872f27a9bceebb042082cd1b2f9043e5dd208200 commit 872f27a9bceebb042082cd1b2f9043e5dd208200 Author: yoav <yoav@yoav.ws> Date: Tue Nov 15 10:07:46 2016 Apply connect-src for link preload with no `as` value This fixes an issue where connect-src was not applied to preloaded resources, due to their Context. BUG= 663620 Review-Url: https://codereview.chromium.org/2491903002 Cr-Commit-Position: refs/heads/master@{#432158} [modify] https://crrev.com/872f27a9bceebb042082cd1b2f9043e5dd208200/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp [modify] https://crrev.com/872f27a9bceebb042082cd1b2f9043e5dd208200/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp Nov 15 2016, Project MemberThe following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/872f27a9bceebb042082cd1b2f9043e5dd208200 commit 872f27a9bceebb042082cd1b2f9043e5dd208200 Author: yoav <yoav@yoav.ws> Date: Tue Nov 15 10:07:46 2016 Apply connect-src for link preload with no `as` value This fixes an issue where connect-src was not applied to preloaded resources, due to their Context. BUG= 663620 Review-Url: https://codereview.chromium.org/2491903002 Cr-Commit-Position: refs/heads/master@{#432158} [modify] https://crrev.com/872f27a9bceebb042082cd1b2f9043e5dd208200/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp [modify] https://crrev.com/872f27a9bceebb042082cd1b2f9043e5dd208200/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp Nov 21 2016,Anything else to be done here, or can we mark as Fixed? Dec 2 2016,
Dec 3 2016, Project Member
Jan 24 2017,
Jan 25 2017,
Mar 11 2017, Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot Jun 19 2017,Issue 719242 has been merged into this issue. Apr 25 2018,
|
|||||||||||||||||||||||
►
Sign in to add a comment |
Comment 1 by rickyz@chromium.org, Nov 9 2016
Labels: Security_Severity-Low
Owner: mkwst@chromium.org