This seems to work due to the fact that MathJax doesn't sanitize the font property of the \unicode macro, so eg with \unicode[Inter; color:red]{x0041} You'll get this CSS: font-family: Inter;...
This seems to work due to the fact that MathJax doesn't sanitize the font property of the \unicode macro, so eg with
This is the raw contents of the readme. It looks like it uses some feature of the math mode renderer that allows you to inject CSS styles into a particular element. Once you've done that, you can position that element however you want and wherever you want on the page — in this case, they've made it appear as the background of the entire page.
It's clever, although I imagine GitHub will be fixing it pretty soon!
I was immediately worried that this could be an issue (although in any case the impact would be limited), but it turns out... nope. GitHub’s security is on point. (who’d’ve thought?!) Request...
I was immediately worried that this could be an issue (although in any case the impact would be limited), but it turns out... nope. GitHub’s security is on point. (who’d’ve thought?!)
Request failure message
Content-Security-Policy: The page’s settings blocked the loading of a resource (img-src) at https://example.com/ because it violates the following directive: “img-src 'self' data: https://github.githubassets.com https://media.githubusercontent.com https://camo.githubusercontent.com https://identicons.github.com https://avatars.githubusercontent.com https://github-cloud.s3.amazonaws.com https://objects.githubusercontent.com https://secured-user-images.githubusercontent.com/ https://user-images.githubusercontent.com/ https://private-user-images.githubusercontent.com https://opengraph.githubassets.com https://github-production-user-asset-6210df.s3.amazonaws.com https://customer-stories-feed.github.com https://spotlights-feed.github.com https://objects-origin.githubusercontent.com https://*.githubusercontent.com”
If you’re like, a regular person, the above inscrutable message means that an attacker cannot use GitHub to initiate a GET request to an arbitrary domain, whenever someone’s profile is loaded.
If this worked (again, GitHub’s security totally prevents any of these attacks), this could either:
Leak someone’s IP address when they visit a GitHub profile (this is a privacy leak, but one that’s generally accepted by the Internet; nothing would be leaked besides the IP address and this is not a big deal).
DDoS someone. I was going to say that this isn't a big deal because GitHub traffic is minimal, but all you’d have to do is have a thousand references to some large file, different query parameters, and a lot of traffic to that profile, and maybe you could raise somebody’s CDN bill by a few dollars (ballpark).
Cross-site request forgery, which fortunately has been wholly solved by the Internet At Large.
I’d imagine this to be fixed by patching whatever math renderer GitHub uses, along with maybe some CSS magic? I’m not familiar enough (read: at all) with stacking contexts to know if they could be used to clip any z-index elements to an element.
Using an iframe would isolate it too, but it wouldn’t work in this case because an iframe doesn’t change size to fit its contents.
Yeah, this is basically exactly the case that CSP was made for The worst use case I managed to come up with is just replacing the entire site with and image and preventing the user from doing...
Yeah, this is basically exactly the case that CSP was made for
The worst use case I managed to come up with is just replacing the entire site with and image and preventing the user from doing anything on the page
OP on Twitter said: "casual CSS injection on github using the math mode"
https://twitter.com/cloud11665/status/1799136093071163396
This seems to work due to the fact that MathJax doesn't sanitize the font property of the
\unicodemacro, so eg withYou'll get this CSS:
This is the raw contents of the readme. It looks like it uses some feature of the math mode renderer that allows you to inject CSS styles into a particular element. Once you've done that, you can position that element however you want and wherever you want on the page — in this case, they've made it appear as the background of the entire page.
It's clever, although I imagine GitHub will be fixing it pretty soon!
Yeah, I think I figured out how it works, see my other comment
https://tildes.net/~comp/1gv6/this_github_profile_has_a_custom_background#comment-cxtd
And, of all the custom backgrounds they could choose from, it’s a waifu. Of course it’s a waifu.
I was immediately worried that this could be an issue (although in any case the impact would be limited), but it turns out... nope. GitHub’s security is on point. (who’d’ve thought?!)
Request failure message
Content-Security-Policy: The page’s settings blocked the loading of a resource (img-src) at https://example.com/ because it violates the following directive: “img-src 'self' data: https://github.githubassets.com https://media.githubusercontent.com https://camo.githubusercontent.com https://identicons.github.com https://avatars.githubusercontent.com https://github-cloud.s3.amazonaws.com https://objects.githubusercontent.com https://secured-user-images.githubusercontent.com/ https://user-images.githubusercontent.com/ https://private-user-images.githubusercontent.com https://opengraph.githubassets.com https://github-production-user-asset-6210df.s3.amazonaws.com https://customer-stories-feed.github.com https://spotlights-feed.github.com https://objects-origin.githubusercontent.com https://*.githubusercontent.com”
If you’re like, a regular person, the above inscrutable message means that an attacker cannot use GitHub to initiate a GET request to an arbitrary domain, whenever someone’s profile is loaded.
If this worked (again, GitHub’s security totally prevents any of these attacks), this could either:
Leak someone’s IP address when they visit a GitHub profile (this is a privacy leak, but one that’s generally accepted by the Internet; nothing would be leaked besides the IP address and this is not a big deal).
DDoS someone. I was going to say that this isn't a big deal because GitHub traffic is minimal, but all you’d have to do is have a thousand references to some large file, different query parameters, and a lot of traffic to that profile, and maybe you could raise somebody’s CDN bill by a few dollars (ballpark).
Cross-site request forgery, which fortunately has been wholly solved by the Internet At Large.
Which means that the worst impact of this flaw is basically that somebody could change the website’s background. (The Internet has gotten very good at removing potential attack surfaces, by necessity!)
I’d imagine this to be fixed by patching whatever math renderer GitHub uses, along with maybe some CSS magic? I’m not familiar enough (read: at all) with stacking contexts to know if they could be used to clip any
z-indexelements to an element.Using an
iframewould isolate it too, but it wouldn’t work in this case because aniframedoesn’t change size to fit its contents.Yeah, this is basically exactly the case that CSP was made for
The worst use case I managed to come up with is just replacing the entire site with and image and preventing the user from doing anything on the page
https://github.com/flexagoon/trollface
I just see a normal page with "unicode macro is not supported" in the readme section. Has it already been patched?
That’s interesting, you’re right! It was working for me yesterday, but I’m now seeing the same thing as you are.
Yes, it has been patched already unfortunately. You can see what it used to look like on the Wayback Machine
Ah, good catch on the interaction! Yeah, that’s a little more serious than changing the background, hah.
shame they patched it. I had a background set for the day and was really looking forward to myspace 2.0