Closed Bug 530647 Opened 15 years ago Closed 13 years ago

CSP vulnerable to UTF-7 encoded script injection

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: bsterne, Unassigned)

References

Details

Gareth Hayes points out in:
http://www.thespanner.co.uk/2009/11/23/bypassing-csp-for-fun-no-profit/

that sites which have a JSON or script feed that is being properly sanitized for metacharacters such as '<' and '>', can still be vulnerable to script injection by an attacker that includes charset="utf-7" in the injected script tag.

Have we considered not honoring the charset attribute in script tags unless it matches the charset in the Content-Type sent by the server?
Blocks: 515442
Removing UTF-7 support entirely (bug 414064) would fix this bus as well, I suppose.
Fixing bug 414064 would definitively be better than solving this for CSP only, since supporting UTF-7 is bad in general, and not in compliance with HTML5, which is something we want to be.
Depends on: 414064
Bug 414064 is now fixed, so I guess this is too.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.