Bug 174883

Summary: CSP rules ignored when a page navigates to a blob URL
Product: WebKit Reporter: JF Paradis <jparadis>
Component: WebKit Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: dbates, erights, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
A PoC where a blob type html ignores CPS from container. none

JF Paradis
Reported 2017-07-26 20:41:31 PDT
Created attachment 316513 [details] A PoC where a blob type html ignores CPS from container. A CSP-protected document can create Blob-URIs that, upon being navigated to, execute JavaScript on the origin domain but lose all CSP restrictions the origin was equipped with. PoC attached. Observations: - In FF, CPS rules are respected: allow/disallow unsafe-inline, nonce, etc. - W3C does seem to indicate that CPS should be applied: "Note: We do all this to ensure that a page cannot bypass its policy by embedding a frame or popping up a new window containing content it controls (blob: resources, or document.write())." https://www.w3.org/TR/CSP/#initialize-document-csp
Attachments
A PoC where a blob type html ignores CPS from container. (506 bytes, text/html)
2017-07-26 20:41 PDT, JF Paradis 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2017-07-27 13:45:35 PDT
<rdar://problem/33575448>
Daniel Bates
Comment 2 2019-06-11 10:40:56 PDT
*** This bug has been marked as a duplicate of bug 198579 ***
Note You need to log in before you can comment on or make changes to this bug.