Decentraleyes facilitates specific CSP bypasses
Created by: Rob--W
The Decentraleyes add-on bundles old and known-vulnerable versions of JavaScript libraries, which can be loaded even if the page has blocked external resource loads through the CSP. As a result, the CSP becomes less effective as a defense to XSS.
Proof of concept:
- Install Decentraleyes from AMO (version 1.3.5) (tested with Firefox 49 and Firefox 52).
- Visit https://robwu.nl/s/csp-decentraleyes.html
The page has
Content-Security-Policy: default-src 'none'; script-src 'nonce-inline-script-for-self-contained-poc'
, which is the strongest possible form of CSP: except from scripts that are marked with the given nonce, no other resource should load. - The page attempts to load a script from the Decentraleyes add-on (e.g. jQuery) and then attempts to verify that the script load succeeded by calling appending "Failed" to the document. If the library failed to load, "Maybe no fail" is appended.
Expected:
- "Maybe no fail" - indicating that the CSP is not bypassed (or the add-on is not installed).
Actual:
- "Failed" - indicating that the presence of the add-on allowed the web page to bypass the CSP.