Bug 155709 - CSP: Should only execute <script> or apply <style> if its hash appears in all policies
Summary: CSP: Should only execute <script> or apply <style> if its hash appears in all...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: WebKit Local Build
Hardware: All All
: P2 Normal
Assignee: Daniel Bates
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2016-03-20 20:52 PDT by Daniel Bates
Modified: 2016-03-22 14:27 PDT (History)
5 users (show)

See Also:


Attachments
Example (script hash) (1.04 KB, text/html)
2016-03-20 20:52 PDT, Daniel Bates
no flags Details
Patch and Layout Tests (10.97 KB, patch)
2016-03-20 20:58 PDT, Daniel Bates
darin: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Bates 2016-03-20 20:52:15 PDT
Created attachment 274568 [details]
Example (script hash)

We should execute an inline script or apply an inline stylesheet only if its hash is listed in all of the policies on the page. Otherwise a malicious person can run/apply an arbitrary script/stylesheet s with hash h_s by injecting S together with a CSP that lists H_s on a page with an XSS vulnerability.

The following demonstrates the issue with script hashes:

Steps to reproduce:

1. Open the attached example.

Then you will see three JavaScript alerts with messages (in order) "FAIL did execute first script", "FAIL did execute second script", and "PASS", respectively. But you should see exactly one JavaScript alert with message "PASS" because the inline script that shows this JavaScript alert is the only script on the page whose hash is listed in both of the CSP policies delivered with the page.
Comment 1 Radar WebKit Bug Importer 2016-03-20 20:53:26 PDT
<rdar://problem/25263368>
Comment 2 Daniel Bates 2016-03-20 20:58:23 PDT
Created attachment 274569 [details]
Patch and Layout Tests
Comment 3 Daniel Bates 2016-03-22 14:27:12 PDT
Committed r198551: <http://trac.webkit.org/changeset/198551>