-
Notifications
You must be signed in to change notification settings - Fork 76
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security: Smuggle arbitrary CSS inside cosmetic uBlock filters #1806
Comments
No need to make duplicates. If you think #1794 wasn't addressed, you should've followed up in there. |
It's fine reporting in a new issue, the issue is in a different code path. |
This is a clever trick, and I learned that |
@gorhill Wow cool you patched it so quickly. Could be a bypass:
|
Interesting, I didn't expect that this would be parsed as a valid CSS declaration:
But it is, and I see the browser not failing at parsing the declaration and silently just discarding the |
Prerequisites
I tried to reproduce the issue when...
Description
uBlock origin allows you to use cosmetic filters to change content on the page. It allows some CSS but disallows making requests such as using background:url(). I've found a way to bypass these restrictions and execute arbitrary CSS:
A specific URL where the issue occurs
https://portswigger-labs.net/
Steps to Reproduce
Expected behavior
You should not be allowed to make background requests inside cosmetic filters
Actual behavior
The background url request is made.
uBlock Origin version
1.38.7b15
Browser name and version
Chrome 95.0.4638.69
Operating System and version
MacOS 10.15.7
The text was updated successfully, but these errors were encountered: