Skip to content

GitLab

decentraleyes
decentraleyes

Microsoft has acquired GitHub. Decentraleyes has left GitHub. Welcome to its new home!

To participate, please register, or sign in with an existing GitLab.com, Bitbucket, or GitHub account.

Past contributions on GitHub? Be sure to reclaim your Comments, Issues, and Pull Requests.

Closed
Opened by Ghost User@ghostContributor

Decentraleyes facilitates specific CSP bypasses

Created by: Rob--W

The Decentraleyes add-on bundles old and known-vulnerable versions of JavaScript libraries, which can be loaded even if the page has blocked external resource loads through the CSP. As a result, the CSP becomes less effective as a defense to XSS.

Proof of concept:

  1. Install Decentraleyes from AMO (version 1.3.5) (tested with Firefox 49 and Firefox 52).
  2. Visit https://robwu.nl/s/csp-decentraleyes.html The page has Content-Security-Policy: default-src 'none'; script-src 'nonce-inline-script-for-self-contained-poc', which is the strongest possible form of CSP: except from scripts that are marked with the given nonce, no other resource should load.
  3. The page attempts to load a script from the Decentraleyes add-on (e.g. jQuery) and then attempts to verify that the script load succeeded by calling appending "Failed" to the document. If the library failed to load, "Maybe no fail" is appended.

Expected:

  • "Maybe no fail" - indicating that the CSP is not bypassed (or the add-on is not installed).

Actual:

  • "Failed" - indicating that the presence of the add-on allowed the web page to bypass the CSP.
To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information