W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2012

Re: Content-Security-Policy and dynamically added meta elements

From: Daniel Veditz <dveditz@mozilla.com>
Date: Sun, 30 Dec 2012 01:39:04 -0800
Message-ID: <50E00BB8.3050003@mozilla.com>
To: Yoav Weiss <yoav@yoav.ws>
CC: public-webappsec@w3.org
On 12/28/2012 3:29 AM, Yoav Weiss wrote:
> For example, for a site that enables inline-scripts but restricts its
> allowed hosts using `default-src`, a user-generated malicious inline
> script that is part of the page’s HTML can steal session cookies, but
> cannot send them to a malicious host.

CSP doesn't cover navigation so if you can run malicious script you can 
always exfiltrate data by setting document.location. Redirect back to 
the Referer and some users won't even notice.

> What is the benefit from allowing dynamically added CSP directives?
> Wouldn’t it be safer to restrict them altogether?

We're just starting to define CSP 1.1 and one of our discussions will be 
how to balance the additional risks of <meta> against the benefits. The 
text in the editor's draft is just a proposal, we haven't agreed to 
anything beyond including some form of <meta> support.

-Dan Veditz
Received on Sunday, 30 December 2012 09:39:35 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 30 December 2012 09:39:36 GMT