[whatwg] <iframe srcdoc> and Content-Security-Policy

Ian Hickson ian at hixie.ch
Fri Jun 22 16:10:48 PDT 2012


On Mon, 7 May 2012, Adam Barth wrote:
>
> == Summary ==
> 
> When creating a srcdoc document, we need to be careful to avoid
> introducing a Content-Security-Policy loophole.
> 
> == Details ==
> 
> Consider a document with the following Content-Security-Policy:
> 
> Content-Security-Policy: default-src 'none'; frame-src *
> 
> Now, imagine the following injection vulnerability in index.php:
> 
> <body>Hello <?=$username?></body>
> 
> This Content-Security-Policy is supposed to prevent the attacker from
> being able to inject script into index.php.  However, consider the
> following value for $username:
> 
> $username = '<iframe
> srcdoc="<script>alert(parent.document.cookie);</script>"></iframe>';
> 
> In this case, we could get in trouble if the user agent doesn't
> enforce the parent document's Content-Security-Policy on the srcdoc
> document because the user agent copies the parent document's origin
> unto the child document.
> 
> == Proposal ==
> 
> When creating a srcdoc document, in the same way that we copy the
> parent document's origin onto the child document, we should:
> 
> 1) /enforce/, on the srcdoc document, all CSP policies currently being
> enforced on the parent document.
> 2) /monitor/, on the srcdoc document, all CSP policies currently being
> monitored on the parent document.
> 
> Please see <http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html>
> for definitions of these terms.

How is this different from the same attack but with:

   $username = '<iframe src="data:text/html,<script>alert(parent.document.cookie);</script>"></iframe>';>

..., or:

   $username = '<iframe src="attacker-uploaded-file-without-csp.html"></iframe>';>

...? That is, why is srcdoc="" special here?

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'


More information about the whatwg mailing list