W3C home > Mailing lists > Public > public-web-security@w3.org > December 2012

Re: CSP - Prevent DOM XSS only?

From: gaz Heyes <gazheyes@gmail.com>
Date: Tue, 11 Dec 2012 11:08:11 +0000
Message-ID: <CADJi-i=Yc0LSKPqRKRaQwHQb9RBDwbtULF8-UsqQB=qc_xGvfg@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: "Eduardo' Vela" <evn@google.com>, "public-web-security@w3.org" <public-web-security@w3.org>, Adam Barth <w3c@adambarth.com>
On 10 December 2012 20:52, Mike West <mkwst@google.com> wrote:

> The goal of the `script-nonce` directive is to handle at least some of
> this use-case:
> https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#script-nonce--experimental
>
> Rather than altering the behavior of `innerHTML`, it asks developers to
> tag inline script blocks that are intentionally included with a unique key,
> generated on the fly for each request. Bad for caching, not particularly
> useful for static sites, but useful for the (many?) applications that can't
> kill inline scripts.
>

I think just providing a script-nonce is flawed as I've mentioned before on
this list. Since you can inject inside protected scripts and discover the
key by using <img> requests or non script executing "XSS" vectors. The
protection must apply to all elements or at the very least most of them.
Using this method you can identify user input from site code too.
Received on Tuesday, 11 December 2012 11:15:49 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 11 December 2012 11:15:49 GMT