The Chromium team has patched a 2.5-year-old bug that made it possible to stage cross-site scripting (XSS) attacks on web pages, even if they had been

CSP bypass: How one Chrome XSS bug took 2.5 years and an HTML spec change to fix

submited by
Style Pass
2021-06-22 14:00:04

The Chromium team has patched a 2.5-year-old bug that made it possible to stage cross-site scripting (XSS) attacks on web pages, even if they had been configured to prevent XSS attacks.

Discovered by Jun Kokatsu, browser security researcher at Microsoft, the bug allowed crafty attackers to bypass Content Security Policy (CSP), an HTTP header that restricts external resources loaded and run on the web page.

In a proof-of-concept, Kokatsu showed that if a web application creates a Blob URL with attacker-controlled data, it could lead to XSS attacks – even if the site is protected with strict CSP policies. Blobs are raw data that can be read as text or streams.

Due to the way iframes (embedded HTML pages) inherit headers and policies from their parent page, an attacker could exploit the bug to bypass the CSP rules and execute malicious code on the page.

For example, a recent XSS vulnerability in chat.mozilla.org occurred due to creating a Blob URL from a Blob object passed by an attacker.

Leave a Comment