Closed Bug 746425 Opened 12 years ago Closed 12 years ago

Bypass Content-Security-Policy using E4X

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Version:
12 Branch
Platform:
x86
Windows Vista
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 722547

People

(Reporter: yosuke.hasegawa, Unassigned)

References

(
URL
)

Details

User Agent: Mozilla/5.0 (Windows NT 6.0; rv:12.0) Gecko/20100101 Firefox/12.0
Build ID: 20120411064248

Steps to reproduce:

E4X feature helps to break CSP.

HTML file is recognizable as JavaScript source with E4X feature, when no doctype or no XML declaration is given. It helps to running arbitrary js code when xss occurred, even if content is protected by Content-Security-Policy.




Actual results:

Visit following URL and raise "alert".
http://utf-8.jp/cgi-bin/csp.cgi?q=%3Cscript%20src%3d%22?q%3d%3C/div%3E%3C/body%3E%3C/html%3E;alert%281%29;%3Chtml%3E%3Cbody%3E%3Cdiv%3E%22%3E%3C/script%3E



Expected results:

Disable E4X feature for CSP protected content, or need other solution.
Why is this bug confidential? The attack surface is already public.
https://www.google.co.jp/search?q=owaspj-csp.pptx (Japanese)
FYI, you can parse HTML as JS even without E4X.
http://bakera.jp/ebi/topic/4755/comment (again Japanese)
Confidential is not unintended. my intention is to specify clearly security issue.
Although this issue is minor, It can't harm to many users, I think.

example of bypass CSP without E4X is incredibly rare case more than this issue, you know. HTML comment before meta elm is indispensable prerequisite.
What exactly is the bypass here? Haven't debugged but the CSP is "default-src 'self'" and the script tag appears to be loading itself. Is this just a duplicate of the fact that we're not checking the content-type for scripts? I don't think it's fair to blame E4X for this.
Status: UNCONFIRMED → NEW
Component: Untriaged → DOM
Ever confirmed: true
Product: Firefox → Core
QA Contact: untriaged → general
Is it possible to add "strict-mime" option to CSP? It is more fundamental and will also prevent the comment #1 attack.
BTW, let's unhide this bug for broader audience. The attack vector is already public.
Originally the default specified behavior was strict content type checking for scripts (see bug 662227), but that has dropped out of the spec. I'd much rather have default strict checking with a 'lax-content-type' option than the reverse because people aren't going to remember to use 'strict-mime'.
Group: core-security
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.