Decentraleyes facilitates specific CSP bypasses
Created by: Rob--W
Proof of concept:
- Install Decentraleyes from AMO (version 1.3.5) (tested with Firefox 49 and Firefox 52).
- Visit https://robwu.nl/s/csp-decentraleyes.html
The page has
Content-Security-Policy: default-src 'none'; script-src 'nonce-inline-script-for-self-contained-poc', which is the strongest possible form of CSP: except from scripts that are marked with the given nonce, no other resource should load.
- The page attempts to load a script from the Decentraleyes add-on (e.g. jQuery) and then attempts to verify that the script load succeeded by calling appending "Failed" to the document. If the library failed to load, "Maybe no fail" is appended.
- "Maybe no fail" - indicating that the CSP is not bypassed (or the add-on is not installed).
- "Failed" - indicating that the presence of the add-on allowed the web page to bypass the CSP.