Closed Bug 1590698 Opened 5 years ago Closed 5 years ago

CSP bypass using <object> or <embed> with data attribute

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Version:
70 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1457100
Tracking Flags:
Tracking Status
firefox-esr68 --- wontfix
firefox69 --- wontfix
firefox70 --- wontfix
firefox71 --- wontfix
firefox72 --- wontfix

People

(Reporter: proof131072, Unassigned)

References

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36

Steps to reproduce:

Firefox CSP could be bypassed using <object> with data attribute which allows to perform XSS attack despite the CSP rules.

PoC:

<meta http-equiv="Content-Security-Policy" content="script-src">
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pPC9zY3JpcHQ+"></object>

Test on: https://pwning.click/csptester.php

This doesn't work when you test using <iframe>.

Actual results:

JavaScript from data: URI is executed despite the CSP rules.

Expected results:

CSP prevents JavaScript execution

Group: firefox-core-security → dom-core-security
status-firefox70: --- → affected
status-firefox71: --- → affected
status-firefox72: --- → affected
Component: Untriaged → DOM: Security
Product: Firefox → Core
Status: UNCONFIRMED → NEW
status-firefox69: --- → ?
status-firefox-esr68: --- → ?
Ever confirmed: true
Summary: CSP bypass using <object> with data attribute → CSP bypass using <object> or <embed> with data attribute

Hm, dupe of bug 1457100?

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.