CSP script nonce not working on test page
Categories
(Core :: DOM: Security, defect, P3)
Tracking
()
People
(Reporter: 1009465756, Unassigned)
Details
(Whiteboard: [domsecurity-backlog2])
Attachments
(1 file)
10.97 KB,
image/png
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36
Steps to reproduce:
Open the link 'https://wx.mail.qq.com/' on which CSP header is setted with 'nonce' feature enabled.
Actual results:
- Open the dev tool and check the console.
- It could be found that the 'script-src' blocked the inline script on line 14. The code is listed as follows:
var flag = true
// ie8有这个Object.defineProperty函数方法,但参数仅支持dom对象
var o = {}
try {
var curObject = Object.defineProperty(o, 'abc', {value: 123})
var originObject = {
abc: 123
}
if (curObject.abc !== originObject.abc) {
flag = false
}
} catch(e) { // The 'script-src' directive block the inline script at here.
flag = false
}
- There aren't any alerts for the same web page in Chrome. It is inferred that the beheavior of CSP header described above is total unexpected in Firefox.
Reporter | ||
Updated•6 years ago
|
Updated•6 years ago
|
Comment 1•6 years ago
•
|
||
The CSP from that page:
Content-Security-Policy: default-src 'self' https://*.qq.com https://*.qqmail.com; script-src 'self' https://*.oa.com https://hm.baidu.com http://hm.baidu.com *.google-analytics.com http://mat1.gtimg.com https://mat1.gtimg.com http://*.soso.com https://*.soso.com http://*.qq.com https://*.qq.com http://*.qqmail.com https://*.qqmail.com http://pub.idqqimg.com 'nonce-14540bb353ac024b89bb712b2e42cb28' 'unsafe-eval'; style-src 'self' https://*.qq.com https://*.oa.com https://rescdn.qqmail.com 'unsafe-inline'; img-src * 'self' data: http: https:; media-src 'self' https://*.qq.com; font-src 'self' https://*.oa.com https://*.qq.com data: http: https:; child-src 'self' https://*.qq.com blob:; connect-src 'self' wss://wx.mail.qq.com https://*.qq.com; frame-src 'self' https://*.qq.com; worker-src 'self' https://*.qq.com blob: 'self'; manifest-src 'self' https://*.qq.com; base-uri 'self'; object-src 'none'; report-uri https://aq.qq.com/cn2/manage/mbtoken/hijack_csp_report
Comment 2•6 years ago
|
||
Note the nonce (_N_umber used ONCE) seems to be static, which means any potential XSS can trivially exploit this by inserting the known constant nonce. Nonces need to be unique every time the page is loaded. For static script use hashes instead.
Updated•6 years ago
|
Reporter | ||
Comment 3•6 years ago
|
||
Thank you, Daniel. Currently, the nonce value is binded with the session. The value remains unchanged if there is no session (if the user isn't logged in). As you mentioned, this is not a good practice, we will fix it by using the hashes.
Updated•2 years ago
|
Description
•