W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: [Content Security Policy] Proposal to move the debate forward

From: Gervase Markham <gerv@mozilla.org>
Date: Fri, 28 Jan 2011 10:33:37 +0000
Message-ID: <4D429B81.1090102@mozilla.org>
To: gaz Heyes <gazheyes@gmail.com>
CC: Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
On 28/01/11 10:05, gaz Heyes wrote:
> Ok let me drive this grave error home, if at any point that the script
> token becomes session based it's useless. An attacker (me) would inject
> a HTML form equivalent based vector to steal all tokens

How would you steal all tokens if you couldn't run any script because 
you didn't have the token?

If the token is equivalent to the user's session ID, then running some 
malicious script becomes an equivalent problem to stealing their session 
ID without script. That doesn't sound trivial to me.

Or have I missed something?

> and then inject
> If for some crazy reason you decide to
> use session based tokens then you would have to validate all HTML
> injections

I'm not sure what you mean by "validate all HTML injections", but I 
don't think anyone is suggesting that using CSP means that you can just 
safely print arbitrary user-supplied content as HTML.

Gerv
Received on Friday, 28 January 2011 10:34:16 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 28 January 2011 10:34:16 GMT