New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 749395 link

Starred by 1 user
Status: Assigned
Owner:
andypaicu@chromium.org
Last visit > 30 days ago
Cc:
jochen@chromium.org
mkwst@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 3
Type: Feature



Sign in to add a comment

Security: Cannot use Content Security Policy to prevent data exfiltration

Reported by ma7h1a...@gmail.com, Jul 27 2017 
AFFECTED PRODUCTS
--------------------
chrome 59.0.3071.115


DESCRIPTION
--------------------
Latest Google Chrome 59.0.3071.115 failed to apply CSP restrictions to a new feature "download" of <a> element,caused csp-bypass problem
for firefox,This attribute only works for same-origin URLs.
https://developer.mozilla.org/en/docs/Web/HTML/Element/a

PoC
--------------------
poc.html,which enable the content security policy,please put it on the local httpserver
and set a cookie for test
this attacks shows that your cookie is sent to a remote server bypass the content security policy
http://www.math1as.com/xsslog.txt shows the cookie received

x.gif,shows how this attack works.

SOLUTION
--------------------
follow mozilla's document.


CREDIT
--------------------
This vulnerability was discovered by mathiaswu of Tencent's Xuanwu Lab.
poc.html
302 bytes View Download

Comment 1 by vakh@chromium.org, Jul 27 2017

Cc: mkwst@chromium.org
Components: Blink>SecurityFeature>ContentSecurityPolicy
Owner: andypaicu@chromium.org
andypaicu@ -- would you like to comment on this?

Comment 2 by mkwst@chromium.org, Jul 27 2017

Cc: jochen@chromium.org
CSP doesn't govern navigations or downloads today. It's a weakness in CSP, and sounds like a reasonable feature request (that we're sketching out a solution to in https://w3c.github.io/webappsec-csp/#navigation-to), but not something I'd consider a vulnerability.

CCing jochen@ for the same-origin download question, as I think he's working through that in https://groups.google.com/a/chromium.org/forum/#!topic/Blink-dev/Iw3_SUcagGg.

Comment 3 by jochen@chromium.org, Jul 27 2017 

It's not true that this attribute only works for same origin URLs in Firefox. If the URL is cross origin and doesn't send a Content-Disposition header, Firefox will attempt to navigate to it. When it's a file it would download typically, the navigation will still end in a download (e.g. for .exe files)
Project Member

Comment 4 by sheriffbot@chromium.org, Jul 27 2017

Status: Assigned (was: Unconfirmed)

Comment 5 by elawrence@chromium.org, Jul 27 2017

Summary: Security: Cannot use Content Security Policy to prevent data exfiltration (was: Security: bypass chrome content security policy via a new feature)
It sounds like the correct course of action is to reclassify this as a public Feature Request, like "Enable CSP to govern navigation"?

Comment 6 by vakh@chromium.org, Jul 31 2017

Labels: -Type-Bug-Security Type-Feature
Based on the discussion so far, I agree that this is a feature request, more than a bug report.

Comment 7 by palmer@chromium.org, Sep 21 2017

Components: Security
Labels: -Restrict-View-SecurityTeam
Actually making this bug public.

Comment 8 by mkwst@chromium.org, Oct 9 2017

Labels: OS-Android OS-Chrome OS-Linux OS-Mac OS-Windows Pri-3

Comment 9 by est...@chromium.org, Nov 10 2017

Labels: Hotlist-EnamelAndFriendsFixIt

Comment 10 by est...@chromium.org, Feb 18 2018

Labels: -Hotlist-EnamelAndFriendsFixIt

Sign in to add a comment