csp bypass using object tag
Categories
(Core :: DOM: Security, defect, P3)
Tracking
()
People
(Reporter: yangzheng.li, Assigned: ckerschb)
References
Details
(Keywords: sec-moderate, Whiteboard: [fixed by bug 1555043][adv-main70+][post-critsmash-triage])
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36 Steps to reproduce: visit this POC.html: === <html> <meta http-equiv="Content-Security-Policy" content="default-src 'self';script-src 'none';object-src data:;img-src 'none';frame-src data:"/> <!-- CSP is set and both script-src and img-src is 'none' --> <body> <!-- inline script will run and remote image load --> <object data='data:text/html;,<svg version="1.1" width="660" height="342" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><script>console.log("Remote Image test")</script><image xlink:href="https://ss0.bdstatic.com/5aV1bjqh_Q23odCf/static/superman/img/logo/bd_logo1_31bdc765.png?x" width="660" height="342"/></svg>'></object> <!-- CSP works fine --> <iframe src='data:text/html;,<script>console.log("Remote Image test")</script><img src="https://ss0.bdstatic.com/5aV1bjqh_Q23odCf/static/superman/img/logo/bd_logo1_31bdc765.png?x" width="660" height="342"/>'></iframe> </body> </html> === Actual results: in object tag , inline script runs and remote image loads , but in iframe tag ,CSP works fine Expected results: Ref: https://www.w3.org/TR/CSP3/#directive-img-src "This directive controls requests which load images. More formally, this includes requests whose type is "image" [FETCH]." Ref: https://www.w3.org/TR/CSP3/#directive-script-src "The script-src directive restricts the locations from which scripts may be executed. This includes not only URLs loaded directly into script elements, but also things like inline script blocks and XSLT stylesheets [XSLT] which can trigger script execution." object tag should behaves like iframe
Comment 1•7 years ago
|
||
Christoph, let me know if I should ping someone else for these CSP issues.
Updated•7 years ago
|
Assignee | ||
Comment 2•7 years ago
|
||
This seems like a duplicate of Bug 1441096 to me. We don't inherit the CSP in that case which causes the CSP bypass. I don't know what we do special for object in that case though. Either way, I am pretty sure Bug 965637 will fix the issue within this bug as well as Bug 1441096.
Updated•7 years ago
|
Assignee | ||
Updated•7 years ago
|
Comment 4•5 years ago
|
||
I don't know which bug fixed this, but this doesn't work in Firefox 70.
Can you help me track down which one it was?
Updated•5 years ago
|
Assignee | ||
Comment 5•5 years ago
|
||
(In reply to Frederik Braun [:freddyb] from comment #4)
I don't know which bug fixed this, but this doesn't work in Firefox 70.
Can you help me track down which one it was?
Within Bug 965637 we moved the CSP from the Principal into the Client, but it was Bug 1555043 after all that fixed the problem.
Updated•5 years ago
|
Comment 6•5 years ago
|
||
Is there anything we can do to mitigate this on ESR68?
Comment 7•5 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM] from comment #6)
Is there anything we can do to mitigate this on ESR68?
This bug is not that bad: we can live with it on ESR68 in my opinion. <object>
tags with a data:
URL do not inherit the parent's CSP as the spec says it should, but the content is contained in a unique-origin frame. Scripts should have been blocked, but even though they aren't they don't have access to any of the parent window's data (no XSS!). data:
URLs have to be explicitly whitelisted in a site's CSP to work and that's not all that common.
Comment 8•5 years ago
•
|
||
We seem to have a slightly worse bug which does inherit the origin and works against a strong CSP of default-src 'none'
that we might want to get into ESR 68.
Nevermind. That one is bug 1587976 and does not affect ESR 68.
Updated•5 years ago
|
Updated•5 years ago
|
Updated•5 years ago
|
Reporter | ||
Comment 10•5 years ago
|
||
Can I ask for a CVE
Credit to Yangzheng Li of Chaitin Tech ?
Thanks a lot.
Updated•5 years ago
|
Comment 11•5 years ago
|
||
I am attempting to verify the fix of this issue, but I am not sure I understand the actual and expected results. Furthermore, I do not see any difference between the ESR68 v68.2.0esr build and the other builds (Release v70.0.1, Beta v72.0b1 and Nightly v73.0a1). The image is properly loaded on the left scrollable square, but no image is loaded in the right non-scrollable square.
@Christoph : Can you enlighten me so I can properly verify this fix? Thanks!
Assignee | ||
Comment 12•5 years ago
|
||
(In reply to Bodea Daniel [:danibodea] from comment #11)
@Christoph : Can you enlighten me so I can properly verify this fix? Thanks!
I think it's best to use this testcase:
https://bugzilla.mozilla.org/show_bug.cgi?id=1587976#c8
(FWIW, I'cced you on Bug 1587976 just in case you didn't have access to it).
Comment 13•5 years ago
|
||
Using an affected build (Nightly v70.0a1 from 2019-07-15) the test case will show a pop-up with the text "obj-javascript" and then show another pop-up with the text "[JavaScript Application] obj-data".
Using all the other main Firefox versions including ESR v68.3.0esr the pop-up will show the text "[JavaScript Application] obj-data".
The changeset pushed to mozilla-central is not found in the latest ESR build, however, it behaves like the unaffected ones.
Considering the fact that I do not know the actual and expected results, I will need someone to confirm that the verification is valid.
@Christoph: Can you confirm?
Assignee | ||
Comment 14•5 years ago
|
||
Freddy, since you also looked at this bug a while ago (comment 4) I was wondering if you have better ways of testing to verify this problem has been fixed - do you?
Comment 15•5 years ago
|
||
Yeah, this is fixed as danibodea says in comment 13.
There should be no other alert than "obj-data" for a fixed version of Firefox.
Updated•5 years ago
|
Updated•5 years ago
|
Comment 16•5 years ago
|
||
Rechecked. Fix verified.
Updated•4 years ago
|
Description
•