W3C home > Mailing lists > Public > public-web-security@w3.org > May 2011

CSP and jsonp callbacks

From: Eduardo Vela <sirdarckcat@gmail.com>
Date: Mon, 30 May 2011 12:37:46 -0500
Message-ID: <BANLkTi=nHAxH8M9GtC2dCGr_5BPiJ1hzfg@mail.gmail.com>
To: public-web-security@w3.org
Cc: masatokinugawa@gmail.com
Hi List.

I think this issue has came up before (can't find the thread but I've
seen it) and Masato (cc'd) brought this up to us recently.

What can a CSP user do in the following case:

1. www.mozilla.org trusts scripts from www.youtube.com because they
use one of their scripts.
2. Attacker is able to do
www.youtube.com/video/export?id=1337&callback=eval(name)
3. Then Mozilla isn't capable of protecting using CSP.

In general, Mozilla can't realistically know all the things we put in
www.youtube.com. If Youtube doesn't care about CSP, there's no reason
for them to fix it. And Mozilla might not be able to mirror the script
to their own servers because it might change at any moment, and their
site might break.

Could it be possible to whitelist specific files, instead of complete
origins? Maybe even global expressions (e.g.
www.youtube.com/scripts/*.js)?
Or.. maybe Mozilla shouldn't trust Youtube at all?
What about.. Content-Type enforcement? Force scripts allowed on a CSP
document to have the right Content-Type.

How does this apply for the use case of stats services, captcha, ads,
etc.. which all require external scripts?

I think forcing the right Content-Type for scripts might be the best
solution, and maybe a rule to override this behavior, comments?

Thanks!!

-- Eduardo
Received on Monday, 30 May 2011 17:38:34 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 30 May 2011 17:38:35 GMT