W3C home > Mailing lists > Public > public-web-security@w3.org > June 2012

Re: Proposal to remove the 'frame-action' directive from CSP 1.1

From: Adam Barth <w3c@adambarth.com>
Date: Fri, 8 Jun 2012 12:12:51 -0700
Message-ID: <CAJE5ia8cNefv-oi_19vP4nQ8dGj7F-_U4f6DZoXvFyi-x5erPw@mail.gmail.com>
To: Eric Chen <eric.chen@sv.cmu.edu>
Cc: public-web-security@w3.org, Collin Jackson <collin.jackson@sv.cmu.edu>, Sergey G <serezhka79@gmail.com>
public-web-security is the mailing list for the general security
interest group.  Discussions about CSP should take place on
public-webappsec.  Would you be willing to re-send your message to
that list?

Thanks!
Adam


On Thu, Jun 7, 2012 at 8:05 PM, Eric Chen <eric.chen@sv.cmu.edu> wrote:
> Hello Everyone:
>
> I would like to propose the removal of 'frame-action' directive from CSP 1.1
> because it offers very little security guarantees from data exfiltration
> attacks. We wrote a paper on this particular
> topic: http://www.w2spconf.com/2012/papers/w2sp12-final11.pdf
>
> In summary, the attack works as follows:
> 1. Alice has a blog that uses the 'form-action' directive to protect data
> from being sent to evil.com
> 2. The attacker creates a form that posts the user's data to the comment
> section of a blog post.
> 3. The attacker reads the blog post to extract the data
>
> We discovered that 40% of the Alexa top 1xx websites contain at least one
> exfiltration channels without CSRF protection, which makes them susceptible
> to this attack (yes, even with JavaScript disabled).
>
> --
> -Eric
>
Received on Friday, 8 June 2012 19:13:53 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 8 June 2012 19:13:53 GMT