W3C home > Mailing lists > Public > public-web-security@w3.org > June 2012

Proposal to remove the 'frame-action' directive from CSP 1.1

From: Eric Chen <eric.chen@sv.cmu.edu>
Date: Thu, 7 Jun 2012 20:05:24 -0700
Message-ID: <CAF8haaxTE7ivurT=2ofFLPQC=C2k95=Qr1RUU06etMqBRMP2XA@mail.gmail.com>
To: public-web-security@w3.org
Cc: Collin Jackson <collin.jackson@sv.cmu.edu>, Sergey G <serezhka79@gmail.com>
Hello Everyone:

I would like to propose the removal of 'frame-action' directive from CSP
1.1 because it offers very little security guarantees from data
exfiltration attacks. We wrote a paper on this particular topic:

In summary, the attack works as follows:
1. Alice has a blog that uses the 'form-action' directive to protect data
from being sent to evil.com
2. The attacker creates a form that posts the user's data to the comment
section of a blog post.
3. The attacker reads the blog post to extract the data

We discovered that 40% of the Alexa top 1xx websites contain at least one
exfiltration channels without CSRF protection, which makes them susceptible
to this attack (yes, even with JavaScript disabled).

Received on Friday, 8 June 2012 15:38:53 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:20 UTC