1587976 - (CVE-2019-17001) CSP script-src 'none'; allows <object> to execute javascript code in firefox (but firefox developer edition works fines)

Status: RESOLVED FIXED

(Core :: DOM: Security, defect)

Description

[Matheus Vrech]

Attachment: report.zip

The Mozilla developer docs say that:
"The HTTP Content-Security-Policy (CSP) script-src directive specifies valid sources for JavaScript. This includes not only URLs loaded directly into <script> elements, but also things like inline script event handlers (onclick) and XSLT stylesheets which can trigger script execution."
and:
"'none' Refers to the empty set; that is, no URLs match. The single quotes are required.", according to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src

These days while I was playing a CTF, I was able to trigger arbitrary javascript in the page's context using the <object> tag and could even steal user cookies.

This wasn't the CTF expected solution and shouldn't have worked because of the script-src 'none' policy ( doesn't work on chrome and other browsers).

So I made a PoC page and the working payload is: http://38.240.18.75/csp/index.php?payload=<object data="javascript:alert(${document.cookie})"></object>

Code like: http://38.240.18.75/csp/index.php?payload=<object data="data:text/html,<script>alert(document.cookie)</script>"></object>
executes in a different context and doesn't affect the web page, but maybe should be blocked as well by the CSP policy. In the attachments I'm disposing the webpage source and some prints of a working PoC.

Comment 1

[:Gijs (he/him)]

I think this is a dupe of bug 1457100, which has comments suggesting bug 965637 might be fixing this, but that's in 69 and comment #0 suggests that the exploit works there (ie it's still broken). It definitely seems fixed (exploit not working) in 70 beta for me. Christoph/Dan, can you confirm what's going on here?

Comment 2

[Matheus Vrech]

Attachment: report-comment.zip

Comment 3

[Matheus Vrech]

Comment on attachment 9100347 [details]
report-comment.zip

(this payload bypass all csp)

Comment 5

[Tom Ritter [:tjr]]

By commenting out the patch in Bug 1555043 I was able to reproduce this on 70; so I believe that patch fixed this in 70.

Comment 6

[Christoph Kerschbaumer [:ckerschb]]

Within Bug 965637 we moved the CSP from the Principal into the Client, a new Data Structure which better reflects the security context for CSP within Firefox. Besides the benefits of doing so it seems this refactoring effort has caused the regression reported within this Bug. At least Bug 1555043 fixed the problem again to close that CSP bypass.

Comment 7

[Daniel Veditz [:dveditz]]

Attachment: testcase: default-src 'none'

Comment 8

[Daniel Veditz [:dveditz]]

Attachment: testcase: default-src data:

These two testcases can be used to test this bug and demonstrate the difference between this Fx69-only regression (the "none" case) and the less severe bug 1441468 that is an older regression (the "data:" case).

I have confirmed that the "none" case does not affect ESR68 or ESR60, does affect Firefox 69, and is fixed in Firefox 70.

The older "data:" problem affects ESR60, ESR68, and Firefox 69, but is also fixed in Firefox 70 (by the same underlying fix, bug 1555043). Our behavior now matches Chrome on these cases.

Comment 9

[Daniel Veditz [:dveditz]]

Does not qualify for the bounty because we landed a fix before this was reported, and also because it was made public before we had a chance to deal with it. Please see our bounty guidelines.