1444877 - CSP bypass with upgrade-insecure-request

Status: RESOLVED INVALID

(Firefox :: Untriaged, defect)

Description

[Jun (Request needinfo for comment, I ignore other updates)]

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.146 Safari/537.36

Steps to reproduce:

1. Go to http://test.shhnjk.com/upgrade.php


Actual results:

Alert appears.


Expected results:

vuln.shhnjk.com/noupgrade.php has CSP "script-src http://shhnjk.com/" but script is loaded from https://shhnjk.com/alert.js.

Chrome and Edge are affected too. If this is more of spec issue (couldn't figure out by myself), feel free to file a spec bug.

Comment 1

[:Gijs (he/him)]

Can you link to the Chrome/Edge issues? Are any other browsers either affected or, really, are there browsers that restrict the load in this case?

Can you name any scenario in which this is actually a security bug rather than just, potentially, either a spec bug or a bug in the implementation that has no negative security ramifications? That is, under what circumstances does this lead to browser behaviour that puts users and/or site owners at risk?

Comment 2

[Jun (Request needinfo for comment, I ignore other updates)]

I'm not sure about the attack sernario. It's just that script is loaded from the place where CSP doesn't allow. 

I just want to make sure that this is not something you guys worried in  discussing publicly over a spec issue (though, I don't know which part of the spec should be fixed).

Comment 3

[Jun (Request needinfo for comment, I ignore other updates)]

From Chromium issue:
The CSP specification changed to simplify migrations to HTTPS.

https://www.w3.org/TR/CSP3/#changes-from-level-2
"The URL matching algorithm now treats insecure schemes and ports as matching their secure variants. That is, the source expression http://example.com:80 will match both http://example.com:80 and https://example.com:443."