W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: [Content Security Policy] Proposal to move the debate forward

From: gaz Heyes <gazheyes@gmail.com>
Date: Fri, 28 Jan 2011 22:05:22 +0000
Message-ID: <AANLkTikWYWr=HttU+iTJ+ERn4ZabvxmJ8xsfEfwkOsAr@mail.gmail.com>
To: Brandon Sterne <bsterne@mozilla.com>
Cc: Gervase Markham <gerv@mozilla.org>, public-web-security@w3.org
On 28 January 2011 18:42, Brandon Sterne <bsterne@mozilla.com> wrote:

> I'm also still trying to wrap my head around your <iframe> and <img>
> token-stealing attack on the script-nonce approach.
>

Hehe maybe my brain is just weird. Ok the iframe waits for the img that's
why I use onload then a 10 sec delay, the readKey function basically calls
the server side script which receives the result from the img injection.
It's passing from the server to the client iframe, then the iframe can
inject the xss.

>
> I still think globally disallowing inline scripts and then letting a
> site individually whitelist script blocks with a nonce attribute is a
> good way to go.  I haven't yet seen good evidence as to why this
> approach shouldn't be pursued.
>
>
Definitely just the approach that needs to be slightly modified, using both
start and end markers now even if they can't be used fully yet.
Received on Friday, 28 January 2011 22:05:55 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 28 January 2011 22:05:58 GMT