W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: [Content Security Policy] Proposal to move the debate forward

From: Adam Barth <w3c@adambarth.com>
Date: Fri, 28 Jan 2011 13:37:05 -0800
Message-ID: <AANLkTi=-YGXUry7iWtwn+-0OPYaOHa1XV-w2wJigPxyV@mail.gmail.com>
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: public-web-security@w3.org
On Fri, Jan 28, 2011 at 12:53 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
> On 1/28/11 3:33 PM, Adam Barth wrote:
>>>
>>> Does allowing attackers to rewrite the text on your page (but not run any
>>> script) have security impact?
>>>
>>> Allowing arbitrary font loads allows various attacks that depend on
>>> misinforming the user about what buttons and such will do, for example.
>>
>> In this threat model, they can already do both those things without
>> the ability to load fonts.  They just make an opaque DIV that covers
>> the whole page and write whatever they like into it.
>
> I think we're talking about different threat models.
>
> In my threat model, the page does not allow injection of script, and
> possibly not of content, but does allow some styling.
>
> The attacker's goal is to get some of the page-provided script to run, or a
> page-provided form to be submitted, with data the attacker can control or
> influence.
>
> Covering the whole page with a div won't do the trick there.

Ok.  I don't think that threat model is worth worrying about in the
first iteration.  I'd like to be able to mitigate script injection
without affecting font loading.  The two seem like separable concerns
to me.

Again, I'm not trying to prevent you from mitigating that threat
model, I'd just like the ability to address the most impactful threats
(e.g., script injection) first and then have the ability to iterate to
address less impactful threats (e.g., font replacement) later.

Adam
Received on Friday, 28 January 2011 21:38:10 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 28 January 2011 21:38:12 GMT