Microsoft won't patch Edge XSS vulnerability

By

Content security policy bypass is 'by design'.

Cisco Talos security researchers have found a way to bypass the content security policy defence mechanism that protects against cross site scripting attacks in multiple web browsers.

Microsoft won't patch Edge XSS vulnerability

The flaw has been patched in recent versions of Google Chrome and WebKit-based browsers (such as Apple Safari for macOS and iOS), but not in Microsoft's Edge for Windows 10.

"Microsoft stated this is by design, and has declined to patch this issue," Talos said.

CSP prevents cross-site scripting attacks by whitelisting servers that can be used as sources for client-side web application code.

To exploit the vulnerability, a web page can be coded to set the browser CSP to unsafe-inline which allows for inline scripts to run.

The web page will then load a new document with the window.open Javascript method, adding code to it with document.write to enable cross-site communications. 

Talos researcher Nicholas Grødum said while browsers such as Firefox work as per the explicit W3C specifications and inherit CSP restrictions from the loading document, Microsoft Edge does not. 

Talos reported the vulnerability to Microsoft in November last year. Microsoft confirmed the issue in January 2017, but said in March this year that it did not consider it a vulnerability.

Cross-site scripting (XSS) is a widespread attack vector against web applications, and can be used to run malicious scripts that glean sensitive information from browsers, unbeknownst to users.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

NSW Police to embark on $126m IT overhaul

NSW Police to embark on $126m IT overhaul

CBA looks to GenAI to assist 1200 'security champions'

CBA looks to GenAI to assist 1200 'security champions'

Australia's super funds told to assess authentication controls

Australia's super funds told to assess authentication controls

WestJet probes cyber security incident

WestJet probes cyber security incident

Log In

  |  Forgot your password?