Closed
Bug 1235872
Opened 9 years ago
Closed 8 years ago
Consider not accepting <script> served as text/csv across origins
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
DUPLICATE
of bug 1299267
People
(Reporter: ehsan.akhgari, Unassigned)
Details
(Keywords: sec-want)
See bug 1232785 which was an exploit against bugzilla.mozilla.org.
I think we should consider rejecting text/csv served scripts in <script> tags because other websites may be similarly vulnerable. Such websites will already be broken in Chrome. We can consider sending a telemetry ping when we encounter such scripts.
Boris, smaug, what do you think?
Flags: needinfo?
|
Reporter | |
Updated•9 years ago
|
Flags: needinfo?
|
||
Comment 1•9 years ago
|
||
|
|
Reporter | |
Comment 2•9 years ago
|
||
I'm not suggesting that we should implement X-Content-Type-Options in this bug.
Summary: Consider not accepting <script> served as text/csv → Consider not accepting <script> served as text/csv across origins
|
||
Updated•9 years ago
|
Group: core-security → dom-core-security
|
||
Comment 3•9 years ago
|
||
Feels like a hack to me. What other types should we also reject interpreting as js?
But https://bugzilla.mozilla.org/show_bug.cgi?id=1232785#c77 hints that Chrome is doing something very un-spec'ed. Do we know what exactly? Should it be spec'ed and then implemented everywhere.
|
|
||
Comment 4•9 years ago
|
||
Is it possibly https://code.google.com/p/chromium/codesearch#chromium/src/components/mime_util/mime_util.cc&q=text/csv&sq=package:chromium&dr=C&l=76
That is down deep in chromium, so not sure if blink uses the same list.
|
|
||
Comment 5•9 years ago
|
||
But shouldn't CSP have something for this?
I guess I'm thinking something like script-owner which would require certain domain to be the loader, similar-ish to frame-ancestor or using X-Frame-Options
|
|
||
Comment 6•9 years ago
|
||
In our original CSP proposal we wanted using CSP to be an opt-in to strict MIME type checking for script (at least), but that was rejected :-(
text/csv isn't the only problem: csv is often served as text/plain or maybe application/octet-stream (I know I've been forced to download them before). I'd love to fix this, but knocking off only text/csv seems way too narrow. on the other hand blocking text/plain would break a bunch I'm sure.
The bugzilla bug isn't hidden anymore, we don't need this discussion to be private.
Group: dom-core-security
Keywords: sec-want
|
||
Comment 7•9 years ago
|
||
Should we just do what Chrome does, for now?
Gerv
|
||
Updated•8 years ago
|
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
|
|
||
Comment 9•8 years ago
|
||
Note that we have bug 1333995 to block other MIME types than text/csv.
|
Assignee | |
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•