New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Feb 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac , Fuchsia
Pri: 2
Type: Bug-Security



Sign in to add a comment

CSP object-src 'none' allows load of image in <object> tag

Reported by zxyrz...@gmail.com, Feb 13 2018

Issue description

UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36

Steps to reproduce the problem:
<?php
header("Content-Security-Policy: object-src 'none'");
?>
<object data="http://www.w3school.com.cn/i/eg_tulip.jpg"></object>

What is the expected behavior?

What went wrong?
When CSP set `object-src 'none'`, Chrome let the image in object tag show while Firefox block it

Did this work before? N/A 

Chrome version: 64.0.3282.140  Channel: stable
OS Version: OS X 10.13.3
Flash Version: Shockwave Flash 28.0 r0
 
Components: Blink>SecurityFeature>ContentSecurityPolicy
Labels: Security_Impact-Stable
Labels: OS-Android OS-Chrome OS-Fuchsia OS-Linux OS-Windows
Status: Untriaged (was: Unconfirmed)
Summary: CSP object-src 'none' allows load of image in <object> tag (was: CSP objec-src 'none' let image in <object> tag load)
Image is blocked as expected in Firefox and Edge.

Image is not blocked in Chrome 63 to 66 ToT and Safari Stable/TP.
https://whytls.com/test/CSPObjectSrcNone.php
Cc: andypaicu@chromium.org mkwst@chromium.org
The image request enters ContentSecurityPolicy::AllowRequest with a context of 
WebURLRequest::kRequestContextImage, so the object-src policy isn't evaluated. This appears to be a violation of CSP2 and CSP3, which note: 

"Note: The object-src directive acts upon any request made on behalf of an object, embed, or applet element. This includes requests which would populate the nested browsing context generated by the former two (also including navigations). This is true even when the data is semantically equivalent to content which would otherwise be restricted by another directive, such as an object element with a text/html MIME type."
Our handling of the OBJECT element has a special case for images, whereby it creates a HTMLImageLoader when it sees that the URL has an image-like file extension.

https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/html/HTMLObjectElement.cpp?l=117&rcl=12595c3ca47ceab49c86914d409375fe60fa4e94
Would this be reasonable? It seems to fix the issue, but perhaps there's some other dire outcome of changing the context like this:

--- a/third_party/WebKit/Source/core/loader/ImageLoader.cpp
+++ b/third_party/WebKit/Source/core/loader/ImageLoader.cpp
@@ -391,6 +391,10 @@ void ImageLoader::DoUpdateFromElement(BypassMainWorldBehavior bypass_behavior,
           referrer_policy, url, document.OutgoingReferrer()));
     }

+    if (IsHTMLObjectElement(GetElement()))
+      resource_request.SetRequestContext(
+          WebURLRequest::kRequestContextObject);
+

Comment 6 by och...@chromium.org, Feb 13 2018

Labels: Security_Severity-Low

Comment 7 by zxyrz...@gmail.com, Feb 14 2018

you can also load svg file like this : `<object data="1.svg" type="image/jpeg"></object>`
so i think it would be medium severity
Re #7, when you load the SVG that way, does it execute script, or is it equivalent to doing <img src="something.svg" />

Comment 9 by zxyrz...@gmail.com, Feb 14 2018

seems like just equivalent to <img src='xxx.svg'

Comment 11 by mkwst@chromium.org, Feb 20 2018

Owner: elawrence@chromium.org
Status: Assigned (was: Untriaged)
Project Member

Comment 12 by bugdroid1@chromium.org, Feb 20 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e56aee6473486fdfac0429747284fda7cdd3aae5

commit e56aee6473486fdfac0429747284fda7cdd3aae5
Author: Eric Lawrence <elawrence@chromium.org>
Date: Tue Feb 20 19:21:03 2018

Use correct Request Context when EMBED or OBJECT requests an image

When an OBJECT or EMBED element requests an image, it does so using
an ImageLoader. To ensure that Content-Security-Policy restrictions
are applied correctly in this scenario, we must adjust the request's
context to indicate the originating element.

Bug:  811691 
Change-Id: I0fd8010970a12e68e845a54310695acc0b3f7625
Reviewed-on: https://chromium-review.googlesource.com/924589
Commit-Queue: Eric Lawrence <elawrence@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Cr-Commit-Position: refs/heads/master@{#537846}
[add] https://crrev.com/e56aee6473486fdfac0429747284fda7cdd3aae5/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embed-src-image-url-blocked-expected.txt
[add] https://crrev.com/e56aee6473486fdfac0429747284fda7cdd3aae5/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embed-src-image-url-blocked.html
[add] https://crrev.com/e56aee6473486fdfac0429747284fda7cdd3aae5/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-image-url-blocked-expected.txt
[add] https://crrev.com/e56aee6473486fdfac0429747284fda7cdd3aae5/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-image-url-blocked.html
[modify] https://crrev.com/e56aee6473486fdfac0429747284fda7cdd3aae5/third_party/WebKit/Source/core/loader/ImageLoader.cpp

Status: Fixed (was: Assigned)
Project Member

Comment 14 by sheriffbot@chromium.org, Feb 22 2018

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: reward-topanel
Will this bug displayed in M65 release notes?
Labels: M-66
The fix for this issue will ship in M66. 
I'm afraid the VRP panel declined to reward for this bug, sorry :-(  Many thanks for the report though!
Labels: -reward-topanel reward-0
Labels: Release-0-M66
Labels: CVE-2018-6114
Labels: CVE_description-missing
Project Member

Comment 23 by sheriffbot@chromium.org, May 31

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment