W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: [Content Security Policy] Proposal to move the debate forward

From: Gervase Markham <gerv@mozilla.org>
Date: Fri, 28 Jan 2011 11:18:00 +0000
Message-ID: <4D42A5E8.1030608@mozilla.org>
To: gaz Heyes <gazheyes@gmail.com>
CC: Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
On 28/01/11 11:07, gaz Heyes wrote:
> Hehe I thought you were being awkward, ok the iframe isn't injected it
> serves to read the data that is injected. So the img injection sends the
> data from the page to the next single quote (including the script key)
> to our evil server,

Blimey. I had no idea the HTML content model was so broken that this 
sort of thing worked.

I guess you could defeat this attack by prefixing every script key with 
the string

'"

i.e.

<script> /* '" SCRIPT_KEY_HERE */ var valid_script = 0; ... </script>

But I agree that's a bit of a pain to do. We could make it so that the 
only valid script-keys were ones which began "' ... !

Gerv
Received on Friday, 28 January 2011 11:18:40 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 28 January 2011 11:18:40 GMT