W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: [Content Security Policy] Proposal to move the debate forward

From: Brandon Sterne <bsterne@mozilla.com>
Date: Fri, 28 Jan 2011 14:26:54 -0800
Message-ID: <4D4342AE.3090303@mozilla.com>
To: gaz Heyes <gazheyes@gmail.com>
CC: Gervase Markham <gerv@mozilla.org>, public-web-security@w3.org
On 1/28/11 2:05 PM, gaz Heyes wrote:
> On 28 January 2011 18:42, Brandon Sterne <bsterne@mozilla.com
> <mailto:bsterne@mozilla.com>> wrote:
> 
>     I'm also still trying to wrap my head around your <iframe> and <img>
>     token-stealing attack on the script-nonce approach.
> 
> 
> Hehe maybe my brain is just weird. Ok the iframe waits for the img
> that's why I use onload then a 10 sec delay, the readKey function
> basically calls the server side script which receives the result from
> the img injection. It's passing from the server to the client iframe,
> then the iframe can inject the xss.

I understand that is what you are claiming.  I grant that your method
allows the attacker to read the token from the target site.  My
question, which you did not respond to, is:

If the <iframe> is in a different domain than the target site, how can
it inject script into the target site?

-Brandon
Received on Friday, 28 January 2011 22:27:58 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 28 January 2011 22:28:00 GMT