NEW156106
CSP: Allow bookmark JavaScript to bypass restrictions 
https://bugs.webkit.org/show_bug.cgi?id=156106
Summary CSP: Allow bookmark JavaScript to bypass restrictions
Craig Francis
Reported 2016-04-01 03:53:25 PDT
JavaScript running from a bookmark (aka a "bookmarklet"), is run within the origin of the website you are looking at, so any CSP restrictions are applied to it as well. It could be argued that the end user should be able to bypass any CSP restrictions, as they own and control the device (CSP is not used by the website to stop the end user from doing something to the page). The same is true of extensions, which typically can bypass CSP restrictions (much to the annoyance of website owners). --- For example, if a website was to issue the CSP header: Content-Security-Policy: connect-src 'self'; Then the following bookmark JS, used to pass the current URL to a "todo" website, would be blocked. javascript:(function(){ var l=window.prompt('Todo note:'); if (l===null) return; if (l=='') l=document.title; var r=new XMLHttpRequest(); var t=new Date().getTime(); var n=document.title+"\n\n"+window.location.href.trim(); var u='https://www.example.com/add/?label='+encodeURIComponent(l)+'&notes='+encodeURIComponent(n)+'&time='+encodeURIComponent(t); r.open('GET', u, true); r.withCredentials = true; r.setRequestHeader('Content-type', 'application/x-www-form-urlencoded'); r.onload = function() { var d = JSON.parse(r.responseText); if (d.success) { alert('Added todo item'); } else { alert('Cannot add todo item: ' + d.error_message); r.onerror(); } }; r.onerror = function() { alert('Error submitting note, will try directly...'); window.location = u; }; r.send(); })(); Or in compressed form: javascript:(function()%7B%20var%20l=window.prompt('Todo%20note:');%20if%20(l===null)%20return;%20if%20(l=='')%20l=document.title;%20var%20r=new%20XMLHttpRequest();%20var%20t=new%20Date().getTime();%20var%20n=document.title+%22%5Cn%5Cn%22+window.location.href.trim();%20var%20u='https://www.example.com/add/?label='+encodeURIComponent(l)+'&notes='+encodeURIComponent(n)+'&time='+encodeURIComponent(t);%20r.open('GET',%20u,%20true);%20r.withCredentials%20=%20true;%20r.setRequestHeader('Content-type',%20'application/x-www-form-urlencoded');%20r.onload%20=%20function()%20%7B%20%20%20var%20d%20=%20JSON.parse(r.responseText);%20%20%20if%20(d.success)%20%7B%20%20%20%20%20alert('Added%20todo%20item');%20%20%20%7D%20else%20%7B%20%20%20%20%20alert('Cannot%20add%20todo%20item:%20'%20+%20d.error_message);%20%20%20%20%20r.onerror();%20%20%20%7D%20%7D;%20r.onerror%20=%20function()%20%7B%20%20%20alert('Error%20submitting%20note,%20will%20try%20directly...');%20%20%20window.location%20=%20u;%20%7D;%20r.send();%20%7D)();
Attachments
Add attachment proposed patch, testcase, etc.
Brent Fulgham
Comment 1 2016-04-12 13:39:59 PDT
Relevant: See the "Shortcomings" section: https://github.com/blog/1477-content-security-policy
Brent Fulgham
Comment 2 2016-04-12 13:40:40 PDT
*** Bug 115328 has been marked as a duplicate of this bug. ***
Lucas Forschler
Comment 3 2019-02-06 09:18:37 PST
Mass move bugs into the DOM component.
Note You need to log in before you can comment on or make changes to this bug.