12

Recently, I've set Content-Security-Policy headers for my web application. I've tried to be as strict as possible. What strikes me most is the fact that I had to allow blob: for connect-src and img-src due to a third-party component. (Both connect-src and img-src are otherwise restricted to self and some hard-coded URLs.)

So, my question is: Is allowing blob: a general security risk in the sense that an attacker can in an injected script wrap any URL with blob and thus connect to any arbitrary resource?

cis
  • 255
  • 2
  • 7
  • 1
    Are you sure what this 3rd party component puts in that `Blob`? `blob:` could be an attack vector if attacker manage to create a `Blob` of their attack script. Difference with `data:` or `http:` is that this `Blob` must be created on the same origin than your website, which narrows the ways of building it (you cannot load a `Blob` from another origin using `blob:`) – Xenos Jul 25 '18 at 07:43

1 Answers1

1

A blob represents data on the client's file system. Data that a JavaScript wants to load or save to such files.

The URL is used for security reasons. That is, if the JavaScript trying to load or save a blob comes from 3rd-party.example.com, then you can block that URL (as you've noticed) to prevent that script from accessing the file system.

If you trust the source of the JavaScript attempting to access blobs (a.k.a. local files), then authorizing them is safe. Of course, you should specifically add those third party domains to your policy:

Content-Security-Policy: connect-src 'self' '3rd-party.example.com', ...

The load & save features won't create an HTTP connection since it just load from & save to local files. This is just how the security is implemented in a browser.

Alexis Wilke
  • 862
  • 5
  • 19
  • I think if you want to add a blob, even from the same origin you have to use the keyword `blob:` to allow it. It's the protocol that matters here, not the website. – El Mac May 13 '22 at 14:12
  • My example shows that you need to include the _other_ URL(s) if you want that JS to work as expected. The `blob` would also be necessary, indeed. – Alexis Wilke May 13 '22 at 14:52