Closed Bug 530647 Opened 10 years ago Closed 9 years ago
CSP vulnerable to UTF-7 encoded script injection
Gareth Hayes points out in: http://www.thespanner.co.uk/2009/11/23/bypassing-csp-for-fun-no-profit/ that sites which have a JSON or script feed that is being properly sanitized for metacharacters such as '<' and '>', can still be vulnerable to script injection by an attacker that includes charset="utf-7" in the injected script tag. Have we considered not honoring the charset attribute in script tags unless it matches the charset in the Content-Type sent by the server?
Removing UTF-7 support entirely (bug 414064) would fix this bus as well, I suppose.
Fixing bug 414064 would definitively be better than solving this for CSP only, since supporting UTF-7 is bad in general, and not in compliance with HTML5, which is something we want to be.
Bug 414064 is now fixed, so I guess this is too.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.