W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: [Content Security Policy] Proposal to move the debate forward

From: Adam Barth <w3c@adambarth.com>
Date: Fri, 28 Jan 2011 12:33:46 -0800
Message-ID: <AANLkTi=nQbTzH7vOYhVcAqAyA2eUiKwsh74urh5FrCUy@mail.gmail.com>
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: public-web-security@w3.org
On Fri, Jan 28, 2011 at 12:28 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
> On 1/28/11 3:03 PM, Adam Barth wrote:
>>
>> I agree that controlling which scripts can execute on your page is
>> useful for mitigating XSS.  I don't understand why controlling which
>> fonts can be loaded by your page has any security impact.
>
> Does allowing attackers to rewrite the text on your page (but not run any
> script) have security impact?
>
> Allowing arbitrary font loads allows various attacks that depend on
> misinforming the user about what buttons and such will do, for example.

In this threat model, they can already do both those things without
the ability to load fonts.  They just make an opaque DIV that covers
the whole page and write whatever they like into it.

Adam
Received on Friday, 28 January 2011 20:34:52 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 28 January 2011 20:34:52 GMT