lcamtuf on the subtle/deadly problem with CSP from Hill, Brad on 2011-08-30 (public-web-security@w3.org from August 2011)

From: Hill, Brad <bhill@paypal-inc.com>
Date: Tue, 30 Aug 2011 15:22:53 -0600
To: "public-web-security@w3.org" <public-web-security@w3.org>
Message-ID: <213E0EC97FE58F469BB618245B3118BB552DA0A087@DEN-MEXMS-001.corp.ebay.com>

http://lcamtuf.blogspot.com/2011/08/subtle-deadly-problem-with-csp.html

"The key issue is that the granularity of CSP is limited to SOP origins: that is, you can permit scripts from http://www1.mysite.com:1234/, or perhaps from a wildcard such as *.mysite.com - but you can't be any more precise. I am fairly certain that in a majority of real-world cases, this will undo many of the apparent benefits of the scheme."

Basically, Return-Oriented Programming for XSS, or super-DOM-based XSS. (made easier by patterns like JSONP)

This isn't a new idea, but I am curious to hear the opinions on the topic from the readers on this list.  How important is this kind of attack to real world applications?  Are real world web applications stable and well-defined enough to be identified in a more granular way?

Brad Hill
Sr. MTS, Internet Standards and Governance
PayPal Information Risk Management
cell: 206.245.7844 / skype: hillbrad
email: bhill@paypal-inc.com

Received on Tuesday, 30 August 2011 21:23:32 UTC