W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: XSS mitigation in browsers

From: Sid Stamm <sid@mozilla.com>
Date: Thu, 20 Jan 2011 14:59:49 -0800
Message-ID: <4D38BE65.2070103@mozilla.com>
To: Michal Zalewski <lcamtuf@coredump.cx>
CC: Brandon Sterne <bsterne@mozilla.com>, Adam Barth <w3c@adambarth.com>, public-web-security@w3.org, Lucas Adamski <ladamski@mozilla.com>
On 1/20/11 2:49 p, Michal Zalewski wrote:
> So, if origin-wide script inclusion is permitted, I can probably inject this:
> 
> <script src="http://allowed_origin/nonexistent/path/{alert(1)}"></script>
> 
> ...and have my payload execute under CSP and under Adam's proposal. In
> browsers that don't support E4X, this is probably also exploitable in
> many cases, especially with text/plain responses, hosted files, etc -
> just marginally harder.
> 
> This can be fixed by strictly enforcing Content-Type.

https://wiki.mozilla.org/Security/CSP/Specification#No_inline_scripts_will_execute

"User Agents MUST NOT block:
" * Scripts imported from external files whose sources are allowed by
the protected document's policy AND are served with a Content-Type of
application/javascript or application/json. "

We should probably make it clearer, but I think we intended to strictly
enforce content type for script elements: scripts can only be loaded
from an external file of the right content-type, and must be served from
a whitelisted origin.

The other case you present is indeed more problematic.

-Sid
Received on Saturday, 22 January 2011 07:06:44 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 22 January 2011 07:09:16 GMT