W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: [Content Security Policy] Proposal to move the debate forward

From: Brandon Sterne <bsterne@mozilla.com>
Date: Fri, 28 Jan 2011 14:58:06 -0800
Message-ID: <4D4349FE.4040303@mozilla.com>
To: gaz Heyes <gazheyes@gmail.com>
CC: Gervase Markham <gerv@mozilla.org>, public-web-security@w3.org
On 1/28/11 2:33 PM, gaz Heyes wrote:
> On 28 January 2011 22:26, Brandon Sterne <bsterne@mozilla.com
> <mailto:bsterne@mozilla.com>> wrote:
> 
>     If the <iframe> is in a different domain than the target site, how can
>     it inject script into the target site?
> 
> 
> <iframe src="//google.com <http://google.com>"
> onload="this.contentWindow.location='//microsoft.com
> <http://microsoft.com>'"></iframe>
> 
> location is settable across any domain. 

Okay, now we're getting somewhere.  In your example, as soon as the
<iframe> navigates the page, that would cause the page to be reloaded,
which in our use case, would result in a new script nonce being
delivered in the policy.

In other words, yes, you can steal the script token using this
technique, but if the token is being properly rotated, then the token
would be invalid as soon as you reload the page with your new injected
payload.

Do I have this right?

Thanks,
Brandon
Received on Friday, 28 January 2011 22:58:39 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 28 January 2011 23:00:40 GMT