CSP object-src 'none' allows load of image in <object> tag
Reported by
zxyrz...@gmail.com,
Feb 13 2018
|
|||||||||||||||
Issue description
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36
Steps to reproduce the problem:
<?php
header("Content-Security-Policy: object-src 'none'");
?>
<object data="http://www.w3school.com.cn/i/eg_tulip.jpg"></object>
What is the expected behavior?
What went wrong?
When CSP set `object-src 'none'`, Chrome let the image in object tag show while Firefox block it
Did this work before? N/A
Chrome version: 64.0.3282.140 Channel: stable
OS Version: OS X 10.13.3
Flash Version: Shockwave Flash 28.0 r0
,
Feb 13 2018
Image is blocked as expected in Firefox and Edge. Image is not blocked in Chrome 63 to 66 ToT and Safari Stable/TP. https://whytls.com/test/CSPObjectSrcNone.php
,
Feb 13 2018
The image request enters ContentSecurityPolicy::AllowRequest with a context of WebURLRequest::kRequestContextImage, so the object-src policy isn't evaluated. This appears to be a violation of CSP2 and CSP3, which note: "Note: The object-src directive acts upon any request made on behalf of an object, embed, or applet element. This includes requests which would populate the nested browsing context generated by the former two (also including navigations). This is true even when the data is semantically equivalent to content which would otherwise be restricted by another directive, such as an object element with a text/html MIME type."
,
Feb 13 2018
Our handling of the OBJECT element has a special case for images, whereby it creates a HTMLImageLoader when it sees that the URL has an image-like file extension. https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/html/HTMLObjectElement.cpp?l=117&rcl=12595c3ca47ceab49c86914d409375fe60fa4e94
,
Feb 13 2018
Would this be reasonable? It seems to fix the issue, but perhaps there's some other dire outcome of changing the context like this:
--- a/third_party/WebKit/Source/core/loader/ImageLoader.cpp
+++ b/third_party/WebKit/Source/core/loader/ImageLoader.cpp
@@ -391,6 +391,10 @@ void ImageLoader::DoUpdateFromElement(BypassMainWorldBehavior bypass_behavior,
referrer_policy, url, document.OutgoingReferrer()));
}
+ if (IsHTMLObjectElement(GetElement()))
+ resource_request.SetRequestContext(
+ WebURLRequest::kRequestContextObject);
+
,
Feb 13 2018
,
Feb 14 2018
you can also load svg file like this : `<object data="1.svg" type="image/jpeg"></object>` so i think it would be medium severity
,
Feb 14 2018
Re #7, when you load the SVG that way, does it execute script, or is it equivalent to doing <img src="something.svg" />
,
Feb 14 2018
seems like just equivalent to <img src='xxx.svg'
,
Feb 16 2018
Let's see what breaks: https://chromium-review.googlesource.com/c/chromium/src/+/924589
,
Feb 20 2018
,
Feb 20 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/e56aee6473486fdfac0429747284fda7cdd3aae5 commit e56aee6473486fdfac0429747284fda7cdd3aae5 Author: Eric Lawrence <elawrence@chromium.org> Date: Tue Feb 20 19:21:03 2018 Use correct Request Context when EMBED or OBJECT requests an image When an OBJECT or EMBED element requests an image, it does so using an ImageLoader. To ensure that Content-Security-Policy restrictions are applied correctly in this scenario, we must adjust the request's context to indicate the originating element. Bug: 811691 Change-Id: I0fd8010970a12e68e845a54310695acc0b3f7625 Reviewed-on: https://chromium-review.googlesource.com/924589 Commit-Queue: Eric Lawrence <elawrence@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/master@{#537846} [add] https://crrev.com/e56aee6473486fdfac0429747284fda7cdd3aae5/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embed-src-image-url-blocked-expected.txt [add] https://crrev.com/e56aee6473486fdfac0429747284fda7cdd3aae5/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embed-src-image-url-blocked.html [add] https://crrev.com/e56aee6473486fdfac0429747284fda7cdd3aae5/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-image-url-blocked-expected.txt [add] https://crrev.com/e56aee6473486fdfac0429747284fda7cdd3aae5/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-image-url-blocked.html [modify] https://crrev.com/e56aee6473486fdfac0429747284fda7cdd3aae5/third_party/WebKit/Source/core/loader/ImageLoader.cpp
,
Feb 21 2018
,
Feb 22 2018
,
Feb 26 2018
,
Mar 4 2018
Will this bug displayed in M65 release notes?
,
Mar 5 2018
The fix for this issue will ship in M66.
,
Mar 6 2018
I'm afraid the VRP panel declined to reward for this bug, sorry :-( Many thanks for the report though!
,
Mar 6 2018
,
Apr 17 2018
,
Apr 25 2018
,
Apr 25 2018
,
May 31 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 4
|
|||||||||||||||
►
Sign in to add a comment |
|||||||||||||||
Comment 1 by elawrence@chromium.org
, Feb 13 2018Labels: Security_Impact-Stable