Rascals are always sociable, and the chief sign that a man has any nobility in his character is the little pleasure he takes in others company. Arthur Schopenhauer

Linux local electron application script-src: self bypass

While searching for XSS to RCE exploit chain on the desktop electron application, I faced a situation where I was able to get an HTML injection which wasn’t sanitized but blocked by a script-src: self CSP. The specificity of this application is that everything is loaded locally using loadFile (it could be either loadUrl with file://). At the moment of my vulnerability research, as far as I know, there was no universal way to bypass this CSP in this specific context (except file://smb-host/share/xss.js which is not working anymore if the user didn’t connect once on the share before). After some times, I came up with an interesting idea that unfortunately wasn’t working on desktop… Therefore, since the approach was really interesting I decided to write this article to share the tricks with you. Linux local electron application script-src: self bypass