Is Allowing blob: in Content-Security-Policy a Risk?

Recently, I’ve set Content-Security-Policy headers for my web application. I’ve tried to be as strict as possible. What strikes me most is the fact that I had to allow blob: for connect-src and img-src due to a third-party component. (Both connect-src and img-src are otherwise restricted to self and some hard-coded URLs.)

So, my question is: Is allowing blob: a general security risk in the sense that an attacker can in an injected script wrap any URL with blob and thus connect to any arbitrary resource?

Answer

A blob represents data on the client’s file system. Data that a JavaScript wants to load or save to such files.

The URL is used for security reasons. That is, if the JavaScript trying to load or save a blob comes from 3rd-party.example.com, then you can block that URL (as you’ve noticed) to prevent that script from accessing the file system.

If you trust the source of the JavaScript attempting to access blobs (a.k.a. local files), then authorizing them is safe. Of course, you should specifically add those third party domains to your policy:

Content-Security-Policy: connect-src 'self' '3rd-party.example.com', ...

The load & save features won’t create an HTTP connection since it just load from & save to local files. This is just how the security is implemented in a browser.

Leave a Reply

Your email address will not be published. Required fields are marked *