Blink in Google Chrome before 57.0.2987.98 for Mac, Windows, and Linux and 57.0.2987.108 for Android failed to correctly propagate CSP restrictions to local scheme pages, which allowed a remote malicious user to bypass content security policy via a crafted HTML page, related to the unsafe-inline keyword.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
google chrome |
||
debian debian linux 8.0 |
||
debian debian linux 9.0 |
||
redhat enterprise linux desktop 6.0 |
||
redhat enterprise linux server 6.0 |
||
redhat enterprise linux workstation 6.0 |
Tells Cisco's Talos it's a feature, not a bug. Apple and Google disagree and fixed it
Which of Google, Apple and Microsoft think a content security bypass doesn't warrant a browser patch? Thanks to Cisco Talos security bod Nicolai Grødum, who found the cross-site scripting bug that affects older Chrome and Safari plus current versions of Edge, we know the answer is "Microsoft". Grødum posted news of Microsoft's attitude here, explaining that if you use Chrome 57.0.2987.98 or later, you're already protected against CVE-2017-5033. Ditto users of iOS later than 10.3 and Safari lat...