Closed Bug 1391447 Opened 8 years ago Closed 3 years ago

CSP bypass using about URLs

Categories

(Core :: DOM: Security, defect, P3)

Product:
Core
Component:
DOM: Security
Type:
defect

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: s.h.h.n.j.k, Unassigned)

References

Details

(Keywords: sec-low, Whiteboard: [domsecurity-backlog2])

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36 Steps to reproduce: 1. Go to https://vuln.shhnjk.com/csp_svg.php 2. Images as well as iframes are loaded. Actual results: CSP (default-src 'none') is not enforced to about URLs. And some about URLs are framable or loadable from any website. Expected results: Enforce CSP on about URLs (why is it even framable?)
Group: firefox-core-security → dom-core-security
Component: Untriaged → DOM: Security
Product: Firefox → Core
Version: 1.0 Branch → Trunk
Only some about: urls are linkable/loadable from web content, and those are all perfectly safe (about:logo and so on). Technically a CSP bypass which we should fix, but about: urls (that are linkable) are all local so no information is leaking to the web through this bypass. We don't need to keep this hidden.
Group: dom-core-security
Keywords: sec-low
This was explicitly done in bug 1021669 but we don't remember why :-( https://searchfox.org/mozilla-central/source/dom/security/nsCSPService.cpp#79
Priority: -- → P3
Whiteboard: [domsecurity-backlog2]
(the UI_IS_LOCAL_RESOURCE check is so that add-ons can work -- the spec says to try not to break them)
See Also: → 1257744

The only about: urls currently linkable from web content are about:logo and about:blank. The logo isn't really causing any real harm and about:blank is required -- this doesn't seem worth the work to fix at this point.

Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.