W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2012

The return of script-sample?

From: neil matatall <neil@matatall.com>
Date: Tue, 4 Dec 2012 19:17:29 -0800
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <3C6C4B40E05B4EE48FDC5F0A8ED95E1A@matatall.com>
(late to the party)

I was discussing data-mining capabilities provided from gathering CSP reports with a colleague, and we talked about how only Firefox's implementation will send a script-sample containing 45 characters of the script. We had discussed using the script-samples to build a list of payloads injected and feed them into a WAF like mod-security for signature detection. 

Ignoring stances on WAFs and malicious script detection, was there a reason that script-sample in the CSP report was not included in the spec? It helps in identifying legit injections (in the case that unsafe-inline is disabled) and those created by plugins/infected browsers (Chrome makes this easier to filter based on chrome-extensions: which I believe are automatically ignored in Chrome canary). I do see a potential privacy issue here, but if you're not allowing inline script the script-sample certainly won't contain sensitive literals. 

- Neil
Received on Wednesday, 5 December 2012 03:18:00 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 5 December 2012 03:18:00 GMT