Issue metadata
Sign in to add a comment
|
Technically CSP bypass using upgrade-insecure-request
Reported by
s.h.h.n....@gmail.com,
Mar 15 2018
|
||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.162 Safari/537.36 Steps to reproduce the problem: 1. Go to http://test.shhnjk.com/upgrade.php What is the expected behavior? No alert popups. What went wrong? vuln.shhnjk.com/noupgrade.php has CSP "script-src http://shhnjk.com/" but script is loaded from https://shhnjk.com/alert.js. I can't think of attack scenario so I just want to know whether it's spec issue or implementation issue (since it affects all browsers). Did this work before? N/A Chrome version: 65.0.3325.162 Channel: stable OS Version: 10.0 Flash Version:
,
Mar 15 2018
The CSP specification changed to simplify migrations to HTTPS. https://www.w3.org/TR/CSP3/#changes-from-level-2 "The URL matching algorithm now treats insecure schemes and ports as matching their secure variants. That is, the source expression http://example.com:80 will match both http://example.com:80 and https://example.com:443."
,
Mar 15 2018
Alright so this isn't a bug at all. Sorry about that. Thanks, Eric!
,
Jun 22 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by est...@chromium.org
, Mar 15 2018Components: Blink>SecurityFeature>ContentSecurityPolicy
Owner: andypaicu@chromium.org
Status: Assigned (was: Unconfirmed)