- From: Eric Chen <eric.chen@sv.cmu.edu>
- Date: Fri, 8 Jun 2012 13:21:30 -0700
- To: public-webappsec@w3.org, Collin Jackson <collin.jackson@sv.cmu.edu>, Sergey G <serezhka79@gmail.com>
Received on Friday, 8 June 2012 20:22:47 UTC
Hello Everyone: I would like to propose the removal of 'frame-action' directive from CSP 1.1 because it offers very little security guarantees from data exfiltration attacks. We wrote a paper on this particular topic: http://www.w2spconf.com/2012/papers/w2sp12-final11.pdf In summary, the attack works as follows: 1. Alice has a blog that uses the 'form-action' directive to protect data from being sent to evil.com 2. The attacker creates a form that posts the user's data to the comment section of a blog post. 3. The attacker reads the blog post to extract the data We discovered that 40% of the Alexa top 100 websites contain at least one exfiltration channels without CSRF protection, which makes them susceptible to this attack (yes, even with JavaScript disabled). -- -Eric
Received on Friday, 8 June 2012 20:22:47 UTC