Closed
Bug 1235872
Opened 8 years ago
Closed 7 years ago
Consider not accepting <script> served as text/csv across origins
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
DUPLICATE
of bug 1299267
People
(Reporter: ehsan.akhgari, Unassigned)
Details
(Keywords: sec-want)
See bug 1232785 which was an exploit against bugzilla.mozilla.org. I think we should consider rejecting text/csv served scripts in <script> tags because other websites may be similarly vulnerable. Such websites will already be broken in Chrome. We can consider sending a telemetry ping when we encounter such scripts. Boris, smaug, what do you think?
Flags: needinfo?
Reporter | ||
Updated•8 years ago
|
Flags: needinfo?
Comment 1•8 years ago
|
||
See also bug 471020 comment 69, bug 471020 comment 41 and bug 1048535 comment 46.
Reporter | ||
Comment 2•8 years ago
|
||
I'm not suggesting that we should implement X-Content-Type-Options in this bug.
Summary: Consider not accepting <script> served as text/csv → Consider not accepting <script> served as text/csv across origins
Updated•8 years ago
|
Group: core-security → dom-core-security
Comment 3•8 years ago
|
||
Feels like a hack to me. What other types should we also reject interpreting as js? But https://bugzilla.mozilla.org/show_bug.cgi?id=1232785#c77 hints that Chrome is doing something very un-spec'ed. Do we know what exactly? Should it be spec'ed and then implemented everywhere.
Comment 4•8 years ago
|
||
Is it possibly https://code.google.com/p/chromium/codesearch#chromium/src/components/mime_util/mime_util.cc&q=text/csv&sq=package:chromium&dr=C&l=76 That is down deep in chromium, so not sure if blink uses the same list.
Comment 5•8 years ago
|
||
But shouldn't CSP have something for this? I guess I'm thinking something like script-owner which would require certain domain to be the loader, similar-ish to frame-ancestor or using X-Frame-Options
Comment 6•8 years ago
|
||
In our original CSP proposal we wanted using CSP to be an opt-in to strict MIME type checking for script (at least), but that was rejected :-( text/csv isn't the only problem: csv is often served as text/plain or maybe application/octet-stream (I know I've been forced to download them before). I'd love to fix this, but knocking off only text/csv seems way too narrow. on the other hand blocking text/plain would break a bunch I'm sure. The bugzilla bug isn't hidden anymore, we don't need this discussion to be private.
Group: dom-core-security
Keywords: sec-want
Comment 7•8 years ago
|
||
Should we just do what Chrome does, for now? Gerv
Updated•7 years ago
|
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Comment 9•7 years ago
|
||
Note that we have bug 1333995 to block other MIME types than text/csv.
Assignee | ||
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•