Please enter a one-line summary:
Steps to reproduce the problem:
- Download attached Zip File
- Extract Zip file into a folder that is served over http on
localhost - Update the hosts file so
malicious.comredirects tolocalhost - Go on
http://localhost/ALLOW_JAVASCRIPT_SCHEME.html(nothttps:) - See how
DEMO_LEGIT_FAIL.jstries and due to the configured CSP rules in the page fails to access:
bypass-child-src.htmlbypass-object-src.htmlbypass-script-src.js
- Also see how
DEMO_MALICIOUS_SUCCESS.jstries and succeeds to bypass the configured CSP rules in the page and access:
bypass-child-src.htmlbypass-object-src.htmlbypass-script-src.js
- Repeat stages 4-6 for
http://localhost/BLOCK_JAVASCRIPT_SCHEME.html(nothttps:) too
What is the expected behavior?
Accessing forbidden resources should be blocked by the browser based on the configured CSP rules of the page
What went wrong?
Accessing forbidden resources is allowed by the browser even though is not allowed based on the configured CSP rules of the page
Did this work before?
"Not applicable or don't know"
Any other comments?
I see the severity of this vulnerability as Medium based on the fact that it allows full CSP bypassing. This vulnerability is platform agnostic and was proven to work on latest Chromium based browsers (Chrome/Opera/Edge) on Windows, Mac and Android as well.