174883 – CSP rules ignored when a page navigates to a blob URL

RESOLVED DUPLICATE of bug 198579 174883

CSP rules ignored when a page navigates to a blob URL

https://bugs.webkit.org/show_bug.cgi?id=174883

Summary CSP rules ignored when a page navigates to a blob URL

JF Paradis

Reported 2017-07-26 20:41:31 PDT

Created attachment 316513 [details] A PoC where a blob type html ignores CPS from container. A CSP-protected document can create Blob-URIs that, upon being navigated to, execute JavaScript on the origin domain but lose all CSP restrictions the origin was equipped with. PoC attached. Observations: - In FF, CPS rules are respected: allow/disallow unsafe-inline, nonce, etc. - W3C does seem to indicate that CPS should be applied: "Note: We do all this to ensure that a page cannot bypass its policy by embedding a frame or popping up a new window containing content it controls (blob: resources, or document.write())." https://www.w3.org/TR/CSP/#initialize-document-csp

Attachments
A PoC where a blob type html ignores CPS from container. (506 bytes, text/html) 2017-07-26 20:41 PDT, JF Paradis	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2017-07-27 13:45:35 PDT

<rdar://problem/33575448>

Daniel Bates

Comment 2 2019-06-11 10:40:56 PDT

*** This bug has been marked as a duplicate of bug 198579 ***

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution DUPLICATE

of bug 198579

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component WebKit Misc.

Assignee

Nobody

Reported

2017-07-26 20:41 PDT

Modified

2019-06-11 10:40 PDT History

CC List

3 users Show

URL

Keywords InRadar

Depends on

Blocks