Security: content security policy bypass
Reported by
ma7h1a...@gmail.com,
Oct 26 2017
|
||||||||||||||||||||||
Issue descriptionAFFECTED PRODUCTS -------------------- chrome 62.0.3202.62 stable DESCRIPTION -------------------- online demo: http://xsser.math1as.com/csp.html firefox & safari block the request,but chrome does not in one word "CSP not inherited after iframe navigate to about:blank scheme uri"
,
Oct 26 2017
the key point is in
third_party/WebKit/Source/core/dom/Document.cpp
policy_to_inherit =
inherit_from->GetSecurityContext()->GetContentSecurityPolicy();
if (url_.IsEmpty() || url_.ProtocolIsAbout() || url_.ProtocolIsData() ||
url_.ProtocolIs("blob") || url_.ProtocolIs("filesystem")) {
GetContentSecurityPolicy()->CopyStateFrom(policy_to_inherit);
}
}
}
after the check , CSP is not inhreit
inherit_from->GetSecurityContext()->GetContentSecurityPolicy(); may get a null result
,
Oct 26 2017
another possible reason is : your code did not consider the following situation when the top frame navigate from a.com to about:blank ,CSP did not need to inhreit because of the page did not inhreit origin. but in iframe, it inhreit the origin (a.com) so that it need to consider CSP. so you need to add check in plz navigate
,
Oct 26 2017
,
Oct 30 2017
ping
,
Oct 30 2017
Re #5: This issue will be triaged as a part of the normal Chrome security triage process. At first glance, it does not seem to be of particularly high severity.
,
Oct 30 2017
andypaicu: Would you mind taking a look?
,
Oct 31 2017
,
Oct 31 2017
,
Nov 9 2017
andypaicu: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 10 2017
,
Nov 13 2017
,
Nov 21 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/209f225b2d51334eaf69ffdf002e25eaa1e0d448 commit 209f225b2d51334eaf69ffdf002e25eaa1e0d448 Author: Andy Paicu <andypaicu@chromium.org> Date: Tue Nov 21 14:59:32 2017 Fixed bug where PlzNavigate CSP in a iframe did not get the inherited CSP When inheriting the CSP from a parent document to a local-scheme CSP, it does not always get propagated to the PlzNavigate CSP. This means that PlzNavigate CSP checks (like `frame-src`) would be ran against a blank policy instead of the proper inherited policy. Bug: 778658 Change-Id: I61bb0d432e1cea52f199e855624cb7b3078f56a9 Reviewed-on: https://chromium-review.googlesource.com/765969 Commit-Queue: Andy Paicu <andypaicu@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/master@{#518245} [add] https://crrev.com/209f225b2d51334eaf69ffdf002e25eaa1e0d448/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/generic/policy-inherited-correctly-by-plznavigate.html [add] https://crrev.com/209f225b2d51334eaf69ffdf002e25eaa1e0d448/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/generic/policy-inherited-correctly-by-plznavigate.html.sub.headers [add] https://crrev.com/209f225b2d51334eaf69ffdf002e25eaa1e0d448/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/support/fail.html [modify] https://crrev.com/209f225b2d51334eaf69ffdf002e25eaa1e0d448/third_party/WebKit/Source/core/dom/Document.cpp
,
Nov 30 2017
,
Dec 1 2017
,
Dec 4 2017
,
Dec 4 2017
,
Dec 15 2017
,
Dec 15 2017
This bug requires manual review: M64 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), abdulsyed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 18 2017
Fix is already in 64.
,
Jan 22 2018
*** Boilerplate reminders! *** Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing. *********************************
,
Jan 22 2018
Thanks! $1,000 for this report from the VRP panel.
,
Jan 22 2018
,
Jan 22 2018
,
Jan 24 2018
,
Mar 8 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 27 2018
,
Apr 25 2018
,
Oct 5
|
||||||||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||||||||
Comment 1 by ma7h1a...@gmail.com
, Oct 26 2017