CSP can be bypassed if Content-Type is not strictly enforced, resulting in XSS

RESOLVED WONTFIX

Status

()

defect
P3
normal
RESOLVED WONTFIX
8 years ago
5 years ago

People

(Reporter: pauljt, Unassigned)

Tracking

(Blocks 1 bug, {sec-moderate, testcase})

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:moderate])

Attachments

(1 attachment)

+++ This bug was initially created as a clone of Bug #662227 +++

Expected Result:
Firefox should not load script file if it's Content-Type is not allowed by CSP spec. 

Actual Result:
Currently (tested in 9.0.1 only) Firefox will load script file with any content-type. A page which is valid XML, and contains an XSS vulnerability, will not be protected by CSP policy of default-src 'self'. An attacker can inject XML tags to make the web page into a valid JavaScript file (due to E4X), and then include a script tag, along with arbitrary script to be executed.

See attachment below for example.


As a comment in the previous bug indicates, this issue is not likely to be specific to JavaScript (or just Firefox for that matter). Any content which can be simulated by malforming a HTML document is probably a risk. (Consider XML based plugin types such as Acrobat XFA or XML-based office documents being loaded in browser plugins via an object tag)
Keywords: testcase
Whiteboard: [sg:moderate]
Who would be a good owner for this?
Just as an aside: this issue is already discussed somewhat publicly on the W3 webappsec mailing list. Probably no reason to keep this hidden.
Opening up per Paul's comment.
Group: core-security
Duplicate of this bug: 746425
Can this be closed now that E4X has been removed?
Flags: needinfo?(ptheriault)
We probably should still check the content type I think. The issue is that if there is xss in a page on a domain that allows the attacker enough control over page content to make that page a valid script, a CSP of 'script-src self' will allow for the attacker to load this page as script. e4x just made this attack more likely because web pages are often well-formed xml, and thus a valid script. 

I don't what the HTML5 spec says though about enforcing the mime-types for script sources, and maybe it isn't good practice to special-case CSP.
Flags: needinfo?(ptheriault)
paul: do we want this fixed?  How likely is this to be abused/abusable?
Flags: needinfo?(ptheriault)
Priority: -- → P3
Pretty unlikely to be abused. If you had a domain protected by a strict CSP AND there was a content injection flaw on this domain such that an attacker could massage a file to be a valid javascript, the CSP won't do anything. The idea was that if you use a CSP, then maybe we could enforce a content-type to add an additional layer of protection in this case. But with e4x gone, the chances are pretty low, and if you have such a content injection vulnerability there are probably other attacks, so maybe this should just be a wont-fix.
Flags: needinfo?(ptheriault)
Please reopen if not wontfix after all.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.