W3C home > Mailing lists > Public > public-web-security@w3.org > October 2011

Re: How should Content-Security-Policy apply to Flash?

From: gaz Heyes <gazheyes@gmail.com>
Date: Fri, 21 Oct 2011 15:58:15 +0100
Message-ID: <CADJi-i=fTR+2BF7Pi0vWZJU1-rFm9fNRiFUw-mxcuO_hYzW+hA@mail.gmail.com>
To: Travis Hassloch <thassloc@adobe.com>
Cc: "public-web-security@w3.org" <public-web-security@w3.org>
On 21 October 2011 01:19, Travis Hassloch <thassloc@adobe.com> wrote:

> I would be very appreciative to hear your ideas on how
> Content-Security-Policy should apply to flash.
>
> For example, one idea of many: SWF files are compiled from
> actionscript, which is more-or-less ECMAscript, so perhaps it
> should be interpreted as such.  On the other hand, they may be
> dissimilar enough that extensions to CSP (new directives) may
> be the way to go.
>
> Thoughts on this or any other aspect?
>
> Backgrounder on flash security model:
> <URL:
> http://www.adobe.com/devnet/flashplayer/articles/flash_player10_securit
> y_wp.html>
>

The whole CSP security model breaks down when you have flash without HTML
so served directly on the page and lots and lots of sites allow direct
flash injections without html.  Also your crossdomain policy doesn't work
for outgoing requests does it? Or have you fixed that now? A certain WAF
vendor (it shall remain nameless because I forgot which one it was) had
Flash injections on their "banner" flash file, an attacker could simply
create a global crossdomain policy on their server and then send a request
for a XML file to the evil server from the "good" server and the "good"
site would be injected with images or malicious HTML from the evil server
XML file.

PS The WAF didn't seem to work =)
Received on Friday, 21 October 2011 14:58:51 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 21 October 2011 14:58:52 GMT