Closed Bug 722547 Opened 10 years ago Closed 7 years ago
CSP can be bypassed if Content-Type is not strictly enforced, resulting in XSS
948 bytes, text/php
Who would be a good owner for this?
Just as an aside: this issue is already discussed somewhat publicly on the W3 webappsec mailing list. Probably no reason to keep this hidden.
Opening up per Paul's comment.
10 years ago
Can this be closed now that E4X has been removed?
We probably should still check the content type I think. The issue is that if there is xss in a page on a domain that allows the attacker enough control over page content to make that page a valid script, a CSP of 'script-src self' will allow for the attacker to load this page as script. e4x just made this attack more likely because web pages are often well-formed xml, and thus a valid script. I don't what the HTML5 spec says though about enforcing the mime-types for script sources, and maybe it isn't good practice to special-case CSP.
paul: do we want this fixed? How likely is this to be abused/abusable?
Priority: -- → P3
Please reopen if not wontfix after all.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.