This page documents potential security vulnerabilities related to Content Security Policy (CSP) in Chromium. CSP is a crucial security mechanism that helps mitigate cross-site scripting (XSS) and other code injection attacks. The VRP data highlights the importance of secure CSP handling. Note: CSP Level 1 is obsolete; refer to CSP Level 2 and beyond.
- Policy Parsing and Enforcement: Incorrect parsing or enforcement of CSP directives could allow bypasses. The parsing and enforcement logic in
content_security_policy.ccneeds thorough review. - Nonce and Hash Verification: Incorrect nonce or hash verification for inline scripts and styles could allow malicious code execution. The
AllowInlinefunction is critical for secure nonce/hash handling. - Request Handling: Weaknesses in request handling based on CSP could allow unauthorized requests. The
AllowRequestfunction and its interaction with different request contexts and destinations need careful analysis. - Bypass Techniques: Attackers might discover bypass techniques for CSP, either through flaws in the implementation or by exploiting interactions with other browser features. Regular testing and analysis are crucial to identify and mitigate bypasses.
- Unsafe Directives: The use of unsafe directives like
unsafe-inlineorunsafe-evalweakens CSP and should be avoided if possible. The handling of these directives incsp_directive_list.ccneeds careful review. - Dangling Markup Injection: Dangling markup injection could allow attackers to bypass CSP by injecting malicious code into existing nonced elements. The
IsNonceableElementfunction is crucial for preventing this type of attack.
third_party/blink/renderer/core/frame/csp/content_security_policy.cc: TheContentSecurityPolicyclass handles CSP. Key functions includeAddPolicies,AllowInline,AllowRequest,AllowEval,AllowWasmCodeGeneration,ReportViolation,EnforceSandboxFlags,RequireTrustedTypes,EnforceStrictMixedContentChecking,UpgradeInsecureRequests,ShouldBypassContentSecurityPolicy,HasPolicyFromSource, andAllowFencedFrameOpaqueURL.third_party/blink/renderer/core/frame/csp/csp_directive_list.cc: This file contains complex logic for handling various CSP directives, includingscript-src,object-src,style-src, etc. Functions likeCSPDirectiveListAllowFromSource,CSPDirectiveListAllowInline,CSPDirectiveListAllowEval, andCSPDirectiveListAllowHashneed a thorough security audit.- CSP Level 2+ Features: The implementation of CSP Level 2 and later features, such as new directives, reporting mechanisms, and stricter parsing rules, needs careful review to ensure they are secure and effective.
- Interaction with Other Security Mechanisms: The interaction between CSP and other security mechanisms, such as CORS, HTTPS, and sandboxing, should be analyzed for potential conflicts or bypasses.
- Nonce Generation and Management: The generation and management of nonces for inline scripts and styles should be reviewed to ensure uniqueness and prevent reuse.
- Hash Algorithm Security: The security of the hash algorithms used for whitelisting resources should be evaluated, considering potential collision attacks or weaknesses in the algorithms themselves.
- Reporting Mechanism Security: The security of the reporting mechanisms, including the handling of report-uri and report-to directives, needs further analysis to prevent information leakage or bypasses.
- Parser and Enforcement Interaction: The interaction between the CSP parser and the enforcement logic should be reviewed for potential inconsistencies or vulnerabilities.
- Strict Dynamic: The implementation and security implications of the 'strict-dynamic' source expression need further analysis, especially regarding its interaction with nonces and hashes.
third_party/blink/renderer/core/frame/csp/content_security_policy.ccthird_party/blink/renderer/core/frame/csp/csp_directive_list.cc