undefined | Better HN

0 pointsnailer7y ago0 comments

I don't think you're reading my question properly - I'm asking about when frame-src IS specified - but just in case it's me that's missing something. I'll reword my question.

What happens if a site:

- allows 'unsafe-inline' as a script-src

- does not allow untrusted domains in frame-src

0 comments

3 comments · 1 top-level

alxlu7y ago· 2 in thread

In the example they have default-src set to ‘self’ ‘unsafe-inline’

That essentially means frame-src is set to that same thing since it’s not specified. So the bypass in the example would still work since it’s iframing the same (trusted) domain even if they explicitly specify frame-src.

nailerOP7y ago

i don't understand. If they set frame-src to an explicit list of domains they trust surely default-src becomes irrelevant and the exploit doesn't work? I'm testing it now and creating an iframe won't work.

alxlu7y ago

Yeah if you set frame-src to something that doesn’t include the current domain then it should prevent loading an iframe from the same origin

That being said, this technique might still work in theory on whatever domains you have specified in frame-src if it doesn’t include ‘self’.

So if you’re foo.com and frame-src only allows bar.com. If you managed to get script into foo.com maybe you could put an iframe pointing to bar.com/reallylongorinvalid

That being said I haven’t had a chance to try this out on my machine yet so I could be missing something

Also it looks like their demo includes sandbox allow-same-origin and allow-scripts in its CSP.

1 more reply

j / k navigate · click thread line to collapse