OpenBlow Whistleblowing Platform Missing Critical Security Headers Vulnerability

A client-side security misconfiguration vulnerability has been identified in the OpenBlow whistleblowing platform, affecting multiple versions and default deployments. The vulnerability arises from the absence of essential HTTP response headers, including Content-Security-Policy, Referrer-Policy, Permissions-Policy, Cross-Origin-Embedder-Policy, and Cross-Origin-Resource-Policy. This omission weakens browser-level defenses, exposing users to cross-site scripting (XSS), clickjacking, and referer leakage. While some instances attempt to enforce CSP via HTML meta tags, this method is ineffective, as modern browsers rely on header-based enforcement to block inline scripts and untrusted resources.

Impact

The lack of critical security headers exposes users to several client-side vulnerabilities. The absence of a Content-Security-Policy allows for potential script injection, while the lack of frame restrictions creates a clickjacking risk by permitting embedding in malicious frames. Additionally, users may experience referer leakage when clicking external links, inadvertently disclosing context or internal URLs. The missing Permissions-Policy could lead to unauthorized access to device APIs like the camera or microphone. Furthermore, the absence of Cross-Origin-Embedder-Policy and Cross-Origin-Resource-Policy weakens isolation from external origins, potentially allowing cross-origin data leakage.

Reproduction

The vulnerability can be reproduced by sending a request to an OpenBlow deployment and inspecting the response headers. The absence of the critical security headers can be confirmed by checking for their presence in the response. Some installations may include a Content-Security-Policy via an HTML meta tag, but this approach is inadequate and should not be relied upon.

Remediation

All OpenBlow deployments should enforce the following headers: Content-Security-Policy: default-src 'self'; script-src 'self'; frame-ancestors 'none'; Referrer-Policy: no-referrer; Permissions-Policy: camera=(), microphone=(), geolocation=(); Cross-Origin-Embedder-Policy: require-corp; Cross-Origin-Resource-Policy: same-origin. Additionally, all cookies, including those from CDN or load balancers, should be flagged as Secure, HttpOnly, and SameSite=Strict.