Hacker News new | ask | show | jobs
by alxlu 2900 days ago
In the example they have default-src set to ‘self’ ‘unsafe-inline’

That essentially means frame-src is set to that same thing since it’s not specified. So the bypass in the example would still work since it’s iframing the same (trusted) domain even if they explicitly specify frame-src.
1 comments
nailer 2900 days ago
i don't understand. If they set frame-src to an explicit list of domains they trust surely default-src becomes irrelevant and the exploit doesn't work? I'm testing it now and creating an iframe won't work.
link
alxlu 2900 days ago
Yeah if you set frame-src to something that doesn’t include the current domain then it should prevent loading an iframe from the same origin

That being said, this technique might still work in theory on whatever domains you have specified in frame-src if it doesn’t include ‘self’.

So if you’re foo.com and frame-src only allows bar.com. If you managed to get script into foo.com maybe you could put an iframe pointing to bar.com/reallylongorinvalid

That being said I haven’t had a chance to try this out on my machine yet so I could be missing something

Also it looks like their demo includes sandbox allow-same-origin and allow-scripts in its CSP.

link
alxlu 2900 days ago
Following up on this. It looks I spoke too soon about the separate domain iframe, since that would be blocked by the iframe's cross domain policy.

So if the domain you are currently on listed in frame-src it looks like you would be safe from this. But if you explicitly set frame-src to include either 'self' or the domain itself then you would still be vulnerable to this.

link
nailer 2900 days ago
Thanks for replying. Yeah I get this / agree with you now.

> But if you explicitly set frame-src to include either 'self' or the domain itself then you would still be vulnerable to this.

Exactly.

- There is a site foo.com, which has a CSP, but allows iframes from self or foo.com

- A user is able to inject some XSS to open an iframe to foo.com/50x.html, an nginx page with no CSP. Since CSP allows our own site to be used in iframes, this is allowed.

- In that page, further JS is injected to extract secrets from the foo.com parent page and connect them to remote networks. Since foo.com/50x.html has no CSP, this is allowed.

link