Open
Bug 1324309
Opened 8 years ago
Updated 2 years ago
CSP bypass using <font> tags in HTML
Categories
(Core :: DOM: Security, defect, P5)
Core
DOM: Security
Tracking
()
NEW
People
(Reporter: mark, Unassigned)
Details
(Whiteboard: [domsecurity-backlog] requires spec change)
Apparently, this is common behavior across all browsers.
Given an HTML document, using the (html5-obsoleted) <font> tag while having CSP in place that forbids inline style changes, CSP can be bypassed and font styles changed by the <font> tag in-line. If such code is injected in a document, the attacker can change document styles (albeit in a limited way) to e.g. hide content on a page that would otherwise be visible, or potentially abuse a known-bad font. At the very least a DoS possibility here, but with potential to trick users to navigate to off-site content.
Not sure about the severity here, but certainly think this is a security consideration (seeing other CSP bypass methods are considered vulnerabilities)
Comment 1•8 years ago
|
||
If this is common behavior it doesn't need to be hidden; let site authors know about it in case they need to protect themselves. A better forum for this would be an issue on the CSP spec in github: https://github.com/w3c/webappsec-csp/issues
I'm not too worried about this because it doesn't allow for XSS or bypassing content-loading restrictions which are the main thrust of CSP. It's a tiny part of what <style> can do, but other than making some text disappear or fill up the page it can't move content around or other transformations that style can do.
Group: core-security
Reporter | ||
Comment 2•8 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #1)
> I'm not too worried about this because it doesn't allow for XSS or bypassing
> content-loading restrictions which are the main thrust of CSP. It's a tiny
> part of what <style> can do, but other than making some text disappear or
> fill up the page it can't move content around or other transformations that
> style can do.
I agree, I don't see a ready way to be really malicious with this, but wanted to err on the side of caution.
There is e.g. the potential situation that a user is presented with a "this page has moved, click here" trick while hiding the rest of the page content, although very situational, of course.
Updated•8 years ago
|
Priority: -- → P5
Whiteboard: [domsecurity-backlog] requires spec change
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•