Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clarify behavior for cached favicon loads #390

Open
briansmith opened this issue May 3, 2019 · 2 comments
Open

Clarify behavior for cached favicon loads #390

briansmith opened this issue May 3, 2019 · 2 comments

Comments

@briansmith
Copy link

briansmith commented May 3, 2019
edited
Loading

It seems some browsers remember the last favicon it used for a site and attempts to load that favicon for any resource that doesn't link to an icon. So, for example, when loading a text/plain document (that doesn't have any Link: <...>; rel="icon" header), the browser will attempt to load the last favicon for the site from whatever URL it loaded it from, or it will try /favicon.ico. Either way, unless the favicon is whitelisted in CSP, a CSP violation will be reported in some of these browsers. In some cases, the violation is even reported to the report-uri.

This makes it difficult to deploy a default "deny all" CSP policy like base-uri 'none'; default-src 'none' for non-HTML resources on a site, as these false positives (especially when reported using report-uri) are overwhelming. Note that it is often difficult to whitelist ONLY favicon URLs in such default policies for various reasons.

IMO the correct behavior is to use the cached favicon without blocking it with a CSP violation (and without reporting a CSP violation in the console or to the report-uri). CSP should only be applied when the resource specifically requested the favicon via a Link: <...>; rel="icon" HTTP header field o via a <link rel=icon> link. The purpose of CSP is to protect against injections (especially XSS). When there is no link to the favicon then nothing has been injected so there's no attack to block or report.
@campbellmc
Copy link

campbellmc commented Apr 13, 2020
edited
Loading

I agree.

If the favicon (or any of the increasing number of icons/tiles/touch etc) are not explicitly defined by the page, they should not generate/report a CSP violation.

The volume of such CSP violations in logs due to properly restrictive img-src/default-src mean the noise floor is raised significantly reducing the effectiveness of report-uri.

We end up with no choice but to be heavy handed with filtering meaning we are more than likely going to miss real violations.

@gxtaillon
Copy link

If it were possible to circumvent the favicon load with a data url plus hash-based integrity, it would remove all noise from favicon requests without punching a hole in the CSP by blindly trusting 'data:'. Something like the following:

<head>
    <meta http-equiv="Content-Security-Policy" content="img-src 'sha256-W29iamVjdCBBcnJheUJ1ZmZlcl0='" />
    <link rel="icon" href="data:," integrity="sha256-W29iamVjdCBBcnJheUJ1ZmZlcl0=">
</head>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@briansmith @gxtaillon @campbellmc