W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2012

Proposal to remove the 'frame-action' directive from CSP 1.1

From: Eric Chen <eric.chen@sv.cmu.edu>
Date: Fri, 8 Jun 2012 13:21:30 -0700
Message-ID: <CAF8haay3LvF-kgPWRXcbZm=7evj3C9Chkv_hbBOG8fgEhCmuFg@mail.gmail.com>
To: public-webappsec@w3.org, Collin Jackson <collin.jackson@sv.cmu.edu>, Sergey G <serezhka79@gmail.com>
Hello Everyone:

I would like to propose the removal of 'frame-action' directive from CSP
1.1 because it offers very little security guarantees from data
exfiltration attacks. We wrote a paper on this particular topic:
http://www.w2spconf.com/2012/papers/w2sp12-final11.pdf

In summary, the attack works as follows:
1. Alice has a blog that uses the 'form-action' directive to protect data
from being sent to evil.com
2. The attacker creates a form that posts the user's data to the comment
section of a blog post.
3. The attacker reads the blog post to extract the data

We discovered that 40% of the Alexa top 100 websites contain at least one
exfiltration channels without CSRF protection, which makes them susceptible
to this attack (yes, even with JavaScript disabled).

-- 
-Eric
Received on Friday, 8 June 2012 20:22:47 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 8 June 2012 20:22:48 GMT