Issue metadata
Sign in to add a comment
|
Security: CSP override in dynamically created iframe from chrome extension
Reported by
sepikas....@gmail.com,
Mar 7 2017
|
||||||||||||||||||||
Issue description
VULNERABILITY DETAILS
Page CSP is overridden from iframe which is dynamically created in chrome extension content script context. Dynamically created iframe has to have src attribute set to "#" (src="#");
VERSION
Chrome Version: 56.0.2924.87 (64-bit) stable
Operating System: macOS Sierra Version 10.12.3
REPRODUCTION CASE
Create simple chrome extension with single content script with following code:
if (window.top === window) {
window.onload = function () {
var img = document.createElement("img");
img.setAttribute("src", "https://storage.googleapis.com/material-icons/external-assets/v4/icons/svg/ic_check_circle_black_24px.svg");
var frame = document.createElement("iframe");
frame.src = "#";
frame.addEventListener("load", function () {
var body = frame.contentWindow.document.querySelectorAll("body")[0];
body.appendChild(img);
});
document.body.appendChild(frame);
};
}
After extension has been loaded navigate to page which has Content-Security-Policy header. e.g. https://www.paypal.com/en/signup/account
You can see at the top left or at bottom left corners of the page that image was injected event though page Content-Security-Policy should prevent it.
,
Mar 8 2017
Right. Extensions can and should be empowered to bypass a page's policy: https://w3c.github.io/webappsec-csp/#extensions. Thanks for the report! I'm closing this out as WontFix. If I've misunderstood the vulnerability you're reporting, please do add a comment accordingly. :)
,
Mar 8 2017
|
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
![https://storage.googleapis.com/material-icons/external-assets/v4/icons/svg/ic_check_circle_black_24px.svg");](https://storage.googleapis.com/material-icons/external-assets/v4/icons/svg/ic_check_circle_black_24px.svg");){kind=link}
Comment 1 by elawrence@chromium.org
, Mar 7 2017Owner: mkwst@chromium.org