Which of Google, Apple and Microsoft think a content security bypass doesn't warrant a browser patch?

Thanks to Cisco Talos security bod Nicolai Grødum, who found the cross-site scripting bug that affects older Chrome and Safari plus current versions of Edge, we know the answer is "Microsoft".

Grødum posted news of Microsoft's attitude here, explaining that if you use Chrome 57.0.2987.98 or later, you're already protected against CVE-2017-5033. Ditto users of iOS later than 10.3 and Safari later than 10.1, who are spared the ravages of CVE-2017-2419. However, Talos writes, “Microsoft stated that this is by design and has declined to patch this issue”.

The bug/feature is that the browser mishandles about:blank in a way that lets an attacker:

Set Content-Security-Policy (CSP) to allow inline script code (the “unsafe-inline” directive);

Use window.open() to open a new blank window; and

Call document.write to write code into the blank window object, in a way that bypasses CSP restrictions.

Once exploited, an attacker could use JavaScript to contact other sites, and it works, because about:blank has the same origin as the loading document, but without the CSP restrictions.

As Talos explains, the CSP specification is clear that “restrictions should be inherited” – whatever restrictions apply to an origin page should also apply to pages opened from it. ®