W3C home > Mailing lists > Public > public-web-security@w3.org > August 2011

Re: lcamtuf on the subtle/deadly problem with CSP

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Wed, 31 Aug 2011 12:51:13 -0700
Message-ID: <CALx_OUDsbtzzDy1Hp7fO2szgAZp_M41wrDeE6RYOAMR3h4RyuA@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: Daniel Veditz <dveditz@mozilla.com>, "sird@rckc.at" <sird@rckc.at>, "Hill, Brad" <bhill@paypal-inc.com>, "public-web-security@w3.org" <public-web-security@w3.org>
> Yeah, I agree that the main cost is complexity.  The main question is
> whether this problem is actually "deadly" or whether lcamtuf is being
> hyperbolic.

Obviously the "deadly" part is not to be taken literally: I do not
think there will be casualties ;-) But I do think that origin scoping
makes it difficult to meaningfully use CSP with any large and diverse
web property. I would be surprised if it would not be exploitable in
places such as facebook.com, msn.com, google.com, twitter.com,
wellsfargo.com, att.com, etc. I don't have a proof and may be wrong,
but looks like this is not an isolated sentiment.

If you guys wish to go with path scoping, though, there's an
interesting thought experiment, though: why not save some bytes, and
decouple script loads from the HTML document body completely, rather
than duplicating the URLs in the policy and then in the document?

It's more efficient, and also prevents the remote but not completely
outlandish risk of loading scripts in the wrong order / more than once
to achieve an unexpected result.

The objection to this proposal is that it decouples some critical
information from the returned payload, but then, it's not like HTTP
specs & browser implementations paid too much attention to this before
(correctly preserving origin, Content-Type, and charset for locally
saved documents, for example, is a bit of an unsolved problem).

Let's see how that troll goes over...

/mz
Received on Wednesday, 31 August 2011 19:51:55 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 31 August 2011 19:51:56 GMT