Open Bug 1324309 Opened 8 years ago Updated 2 years ago

CSP bypass using <font> tags in HTML

Categories

(Core :: DOM: Security, defect, P5)

defect

Tracking

()

People

(Reporter: mark, Unassigned)

Details

(Whiteboard: [domsecurity-backlog] requires spec change)

Apparently, this is common behavior across all browsers. Given an HTML document, using the (html5-obsoleted) <font> tag while having CSP in place that forbids inline style changes, CSP can be bypassed and font styles changed by the <font> tag in-line. If such code is injected in a document, the attacker can change document styles (albeit in a limited way) to e.g. hide content on a page that would otherwise be visible, or potentially abuse a known-bad font. At the very least a DoS possibility here, but with potential to trick users to navigate to off-site content. Not sure about the severity here, but certainly think this is a security consideration (seeing other CSP bypass methods are considered vulnerabilities)
If this is common behavior it doesn't need to be hidden; let site authors know about it in case they need to protect themselves. A better forum for this would be an issue on the CSP spec in github: https://github.com/w3c/webappsec-csp/issues I'm not too worried about this because it doesn't allow for XSS or bypassing content-loading restrictions which are the main thrust of CSP. It's a tiny part of what <style> can do, but other than making some text disappear or fill up the page it can't move content around or other transformations that style can do.
Group: core-security
(In reply to Daniel Veditz [:dveditz] from comment #1) > I'm not too worried about this because it doesn't allow for XSS or bypassing > content-loading restrictions which are the main thrust of CSP. It's a tiny > part of what <style> can do, but other than making some text disappear or > fill up the page it can't move content around or other transformations that > style can do. I agree, I don't see a ready way to be really malicious with this, but wanted to err on the side of caution. There is e.g. the potential situation that a user is presented with a "this page has moved, click here" trick while hiding the rest of the page content, although very situational, of course.
Priority: -- → P5
Whiteboard: [domsecurity-backlog] requires spec change
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.