CSP sniff nonce and include other javascript
Categories
(Core :: DOM: Security, defect)
Tracking
()
People
(Reporter: andrea.serra, Unassigned)
Details
Attachments
(1 file)
2.42 KB,
application/gzip
|
Details |
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0
Steps to reproduce:
I have setted this CSP:
Content-Security-Policy: "default-src 'self'; script-src 'nonce-r4nd0m'; style-src 'nonce-r4nd0m'"
In this way only scripts with the nonce will be considered valid, and if one of them tries to include a second javascript file, then it must be blocked. But if we recover the nonce from a js element present in the DOM, we can include a second or more javascript files.
The code to sniff a nonce and insert a js file is:
/* sniff script nonce from DOM */
var scriptNonce = document.getElementsByTagName('script')[0].getAttribute('nonce');
/* init malicious script /
var evilScript = document.createElement('script');
/ set script attribute /
evilScript.src = '/js/evil.js';
evilScript.type = "text/javascript";
/ insert sniffed nonce /
evilScript.setAttribute('nonce', scriptNonce);
/ append malicious script on body */
document.body.appendChild(evilScript);
Actual results:
It is possible to include additional javascript files by sniffing the nonce from the DOM, although the 'strict-dynamic' directive has not been specified on the CSP.
Expected results:
The script included through nonce sniffing must be blocked, unless the 'strict-dynamic' has been specified on the CSP.
Reporter | ||
Comment 1•4 years ago
|
||
I found the same problem in the latest versions of firefox for Android and iOS.
Reporter | ||
Updated•4 years ago
|
Updated•4 years ago
|
Comment 2•4 years ago
|
||
This is a known problem.
Reporter | ||
Comment 3•4 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #2)
This is a known problem.
*** This bug has been marked as a duplicate of bug 1374612 ***
I don't think hiding the nonce is a good solution, it would be better to block the inclusion of a script in case the CSP are set, and the strict-dynamic is not specified.
Description
•