W3C home > Mailing lists > Public > public-web-security@w3.org > September 2011

RE: lcamtuf on the subtle/deadly problem with CSP

From: Hill, Brad <bhill@paypal-inc.com>
Date: Thu, 1 Sep 2011 12:24:15 -0600
To: Michal Zalewski <lcamtuf@coredump.cx>
CC: Daniel Veditz <dveditz@mozilla.com>, Adam Barth <w3c@adambarth.com>, "sird@rckc.at" <sird@rckc.at>, "public-web-security@w3.org" <public-web-security@w3.org>
Message-ID: <213E0EC97FE58F469BB618245B3118BB552DAF4421@DEN-MEXMS-001.corp.ebay.com>
> Possibly, but what effect would it realistically have at this point?
> /mz

1) JSONP is a very common pattern
2) Popular JSONP feeds are likely to also have lots of other JS at their origin (e.g. google)
3) Therefore, allowing webapps to safely consume JSONP without also accepting all other script content from the origin is important exactly to the extent that origin-granularity attack surface is a genuine problem with CSP (and it seems it is)
Received on Thursday, 1 September 2011 18:24:45 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:19 UTC