W3C home > Mailing lists > Public > public-web-security@w3.org > May 2011

Re: CSP and jsonp callbacks

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 30 May 2011 11:00:48 -0700
Message-ID: <BANLkTimrYvLT_Cnj07MFyHXj+jVcFoP06A@mail.gmail.com>
To: sird@rckc.at
Cc: public-web-security@w3.org, masatokinugawa@gmail.com
On Mon, May 30, 2011 at 10:37 AM, Eduardo Vela <sirdarckcat@gmail.com> wrote:
> Hi List.
>
> I think this issue has came up before (can't find the thread but I've
> seen it) and Masato (cc'd) brought this up to us recently.
>
> What can a CSP user do in the following case:
>
> 1. www.mozilla.org trusts scripts from www.youtube.com because they
> use one of their scripts.
> 2. Attacker is able to do
> www.youtube.com/video/export?id=1337&callback=eval(name)

Won't that be blocked because eval is blocked?

Adam


> 3. Then Mozilla isn't capable of protecting using CSP.
>
> In general, Mozilla can't realistically know all the things we put in
> www.youtube.com. If Youtube doesn't care about CSP, there's no reason
> for them to fix it. And Mozilla might not be able to mirror the script
> to their own servers because it might change at any moment, and their
> site might break.
>
> Could it be possible to whitelist specific files, instead of complete
> origins? Maybe even global expressions (e.g.
> www.youtube.com/scripts/*.js)?
> Or.. maybe Mozilla shouldn't trust Youtube at all?
> What about.. Content-Type enforcement? Force scripts allowed on a CSP
> document to have the right Content-Type.
>
> How does this apply for the use case of stats services, captcha, ads,
> etc.. which all require external scripts?
>
> I think forcing the right Content-Type for scripts might be the best
> solution, and maybe a rule to override this behavior, comments?
>
> Thanks!!
>
> -- Eduardo
>
>
Received on Monday, 30 May 2011 18:01:47 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 30 May 2011 18:01:47 GMT