W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2012

Re: Proposal to remove the 'frame-action' directive from CSP 1.1

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 11 Jun 2012 10:12:43 -0700
Message-ID: <CAJE5ia_NKU+PHjgVgw9-V_gV4FSgj59kCerKrpDcHkmVbwmiGQ@mail.gmail.com>
To: Eric Chen <eric.chen@sv.cmu.edu>
Cc: public-webappsec@w3.org, Collin Jackson <collin.jackson@sv.cmu.edu>, Sergey G <serezhka79@gmail.com>
What about form-action 'none'.  Is that still useful?

Also, you might expect that web sites that implement CSP are more
interested in security and therefore more likely to be part of the 60%
that protect themselves from CSRF.

Adam


On Fri, Jun 8, 2012 at 1:21 PM, Eric Chen <eric.chen@sv.cmu.edu> wrote:
> Hello Everyone:
>
> I would like to propose the removal of 'frame-action' directive from CSP 1.1
> because it offers very little security guarantees from data exfiltration
> attacks. We wrote a paper on this particular
> topic: http://www.w2spconf.com/2012/papers/w2sp12-final11.pdf
>
> In summary, the attack works as follows:
> 1. Alice has a blog that uses the 'form-action' directive to protect data
> from being sent to evil.com
> 2. The attacker creates a form that posts the user's data to the comment
> section of a blog post.
> 3. The attacker reads the blog post to extract the data
>
> We discovered that 40% of the Alexa top 100 websites contain at least one
> exfiltration channels without CSRF protection, which makes them susceptible
> to this attack (yes, even with JavaScript disabled).
>
> --
> -Eric
>
Received on Monday, 11 June 2012 17:13:46 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 11 June 2012 17:13:46 GMT