Closed
Bug 1428050
Opened 7 years ago
Closed 7 years ago
CSP leaks
Categories
(Firefox :: Untriaged, defect)
Firefox
Untriaged
Tracking
()
RESOLVED
DUPLICATE
of bug 1297156
People
(Reporter: s.h.h.n.j.k, Unassigned)
Details
(Whiteboard: [Embargo until Edge and Chrome fixed])
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.108 Safari/537.36
Steps to reproduce:
1. Go to https://shhnjk.azurewebsites.net/leaks.php
Actual results:
Received following requests.
1. /?link-shortcut-icon
2. /?link-apple-touch-icon-precomposed
This isn't good because websites like Github are working heard to stop any external requests using CSP (For dangling markup protection).
Expected results:
No request to attack.shhnjk.com is leaked because of "Content-Security-Policy: default-src 'self'; base-uri 'self'; manifest-src 'self';".
Also affects Chrome and Edge in some other ways.
|
||
Comment 1•7 years ago
|
||
Seems like a dupe of bug 1167259 and/or bug 1297156 to me? Or am I missing something? (Note: both of these are public)
Flags: needinfo?(s.h.h.n.j.k)
|
Reporter | |
Comment 2•7 years ago
|
||
Yeah, this is a dupe. But could you keep this bug private as other vendors are affected by other part of tag (not icons)?
Flags: needinfo?(s.h.h.n.j.k)
|
|
||
Updated•7 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
|
|
Reporter | |
Updated•7 years ago
|
Whiteboard: [Embargo until Edge and Chrome fixed]
|
||
Updated•4 years ago
|
Group: firefox-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•