New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Feb 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac , Fuchsia
Pri: 2
Type: Bug-Security



Sign in to add a comment
link

Issue 811691: CSP object-src 'none' allows load of image in <object> tag

Reported by zxyrz...@gmail.com, Feb 13 2018

Issue description

UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36

Steps to reproduce the problem:
<?php
header("Content-Security-Policy: object-src 'none'");
?>
<object data="http://www.w3school.com.cn/i/eg_tulip.jpg"></object>

What is the expected behavior?

What went wrong?
When CSP set `object-src 'none'`, Chrome let the image in object tag show while Firefox block it

Did this work before? N/A 

Chrome version: 64.0.3282.140  Channel: stable
OS Version: OS X 10.13.3
Flash Version: Shockwave Flash 28.0 r0
 

Comment 1 by elawrence@chromium.org, Feb 13 2018

Components: Blink>SecurityFeature>ContentSecurityPolicy
Labels: Security_Impact-Stable

Comment 2 by elawrence@chromium.org, Feb 13 2018

Labels: OS-Android OS-Chrome OS-Fuchsia OS-Linux OS-Windows
Status: Untriaged (was: Unconfirmed)
Summary: CSP object-src 'none' allows load of image in <object> tag (was: CSP objec-src 'none' let image in <object> tag load)
Image is blocked as expected in Firefox and Edge.

Image is not blocked in Chrome 63 to 66 ToT and Safari Stable/TP.
https://whytls.com/test/CSPObjectSrcNone.php

Comment 3 by elawrence@chromium.org, Feb 13 2018

Cc: andypaicu@chromium.org mkwst@chromium.org
The image request enters ContentSecurityPolicy::AllowRequest with a context of 
WebURLRequest::kRequestContextImage, so the object-src policy isn't evaluated. This appears to be a violation of CSP2 and CSP3, which note: 

"Note: The object-src directive acts upon any request made on behalf of an object, embed, or applet element. This includes requests which would populate the nested browsing context generated by the former two (also including navigations). This is true even when the data is semantically equivalent to content which would otherwise be restricted by another directive, such as an object element with a text/html MIME type."

Comment 4 by elawrence@chromium.org, Feb 13 2018

Our handling of the OBJECT element has a special case for images, whereby it creates a HTMLImageLoader when it sees that the URL has an image-like file extension.

https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/html/HTMLObjectElement.cpp?l=117&rcl=12595c3ca47ceab49c86914d409375fe60fa4e94

Comment 5 by elawrence@chromium.org, Feb 13 2018

Would this be reasonable? It seems to fix the issue, but perhaps there's some other dire outcome of changing the context like this:

--- a/third_party/WebKit/Source/core/loader/ImageLoader.cpp
+++ b/third_party/WebKit/Source/core/loader/ImageLoader.cpp
@@ -391,6 +391,10 @@ void ImageLoader::DoUpdateFromElement(BypassMainWorldBehavior bypass_behavior,
           referrer_policy, url, document.OutgoingReferrer()));
     }

+    if (IsHTMLObjectElement(GetElement()))
+      resource_request.SetRequestContext(
+          WebURLRequest::kRequestContextObject);
+

Comment 6 by och...@chromium.org, Feb 13 2018

Labels: Security_Severity-Low

Comment 7 by zxyrz...@gmail.com, Feb 14 2018

you can also load svg file like this : `<object data="1.svg" type="image/jpeg"></object>`
so i think it would be medium severity

Comment 8 by elawrence@chromium.org, Feb 14 2018

Re #7, when you load the SVG that way, does it execute script, or is it equivalent to doing <img src="something.svg" />

Comment 9 by zxyrz...@gmail.com, Feb 14 2018

seems like just equivalent to <img src='xxx.svg'

Comment 11 by mkwst@chromium.org, Feb 20 2018

Owner: elawrence@chromium.org
Status: Assigned (was: Untriaged)

Comment 12 by bugdroid1@chromium.org, Feb 20 2018

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e56aee6473486fdfac0429747284fda7cdd3aae5

commit e56aee6473486fdfac0429747284fda7cdd3aae5
Author: Eric Lawrence <elawrence@chromium.org>
Date: Tue Feb 20 19:21:03 2018

Use correct Request Context when EMBED or OBJECT requests an image

When an OBJECT or EMBED element requests an image, it does so using
an ImageLoader. To ensure that Content-Security-Policy restrictions
are applied correctly in this scenario, we must adjust the request's
context to indicate the originating element.

Bug:  811691 
Change-Id: I0fd8010970a12e68e845a54310695acc0b3f7625
Reviewed-on: https://chromium-review.googlesource.com/924589
Commit-Queue: Eric Lawrence <elawrence@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Cr-Commit-Position: refs/heads/master@{#537846}
[add] https://crrev.com/e56aee6473486fdfac0429747284fda7cdd3aae5/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embed-src-image-url-blocked-expected.txt
[add] https://crrev.com/e56aee6473486fdfac0429747284fda7cdd3aae5/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/embed-src-image-url-blocked.html
[add] https://crrev.com/e56aee6473486fdfac0429747284fda7cdd3aae5/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-image-url-blocked-expected.txt
[add] https://crrev.com/e56aee6473486fdfac0429747284fda7cdd3aae5/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-image-url-blocked.html
[modify] https://crrev.com/e56aee6473486fdfac0429747284fda7cdd3aae5/third_party/WebKit/Source/core/loader/ImageLoader.cpp

Comment 13 by elawrence@chromium.org, Feb 21 2018

Status: Fixed (was: Assigned)

Comment 14 by sheriffbot@chromium.org, Feb 22 2018

Project Member
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 15 by awhalley@google.com, Feb 26 2018

Labels: reward-topanel

Comment 16 by zxyrz...@gmail.com, Mar 4 2018

Will this bug displayed in M65 release notes?

Comment 17 by elawrence@chromium.org, Mar 5 2018

Labels: M-66
The fix for this issue will ship in M66.

Comment 18 by awhalley@google.com, Mar 6 2018

I'm afraid the VRP panel declined to reward for this bug, sorry :-(  Many thanks for the report though!

Comment 19 by awhalley@google.com, Mar 6 2018

Labels: -reward-topanel reward-0

Comment 20 by awhalley@google.com, Apr 17 2018

Labels: Release-0-M66

Comment 21 by awhalley@chromium.org, Apr 25 2018

Labels: CVE-2018-6114

Comment 22 by awhalley@chromium.org, Apr 25 2018

Labels: CVE_description-missing

Comment 23 by sheriffbot@chromium.org, May 31 2018

Project Member
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 24 by awhalley@chromium.org, Jan 4

Labels: -CVE_description-missing CVE_description-submitted

Sign in to add a comment