W3C home > Mailing lists > Public > public-web-security@w3.org > August 2011

lcamtuf on the subtle/deadly problem with CSP

From: Hill, Brad <bhill@paypal-inc.com>
Date: Tue, 30 Aug 2011 15:22:53 -0600
To: "public-web-security@w3.org" <public-web-security@w3.org>
Message-ID: <213E0EC97FE58F469BB618245B3118BB552DA0A087@DEN-MEXMS-001.corp.ebay.com>

"The key issue is that the granularity of CSP is limited to SOP origins: that is, you can permit scripts from http://www1.mysite.com:1234/, or perhaps from a wildcard such as *.mysite.com - but you can't be any more precise. I am fairly certain that in a majority of real-world cases, this will undo many of the apparent benefits of the scheme."

Basically, Return-Oriented Programming for XSS, or super-DOM-based XSS. (made easier by patterns like JSONP)

This isn't a new idea, but I am curious to hear the opinions on the topic from the readers on this list.  How important is this kind of attack to real world applications?  Are real world web applications stable and well-defined enough to be identified in a more granular way?

Brad Hill
Sr. MTS, Internet Standards and Governance
PayPal Information Risk Management
cell: 206.245.7844 / skype: hillbrad
email: bhill@paypal-inc.com
Received on Tuesday, 30 August 2011 21:23:32 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:19 UTC