W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2012

Re: Proposal to remove the 'frame-action' directive from CSP 1.1

From: Eric Chen <eric.chen@sv.cmu.edu>
Date: Mon, 11 Jun 2012 10:28:43 -0700
Message-ID: <CAF8haayj1NBbpA5wXckuf7YOdfOQ2bwNfxi3BfH++QZNJhpzzw@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Adam Barth <w3c@adambarth.com>, public-webappsec@w3.org, Collin Jackson <collin.jackson@sv.cmu.edu>, Sergey G <serezhka79@gmail.com>
> I'd also note that combining `form-action` with the proposal for more
> granular (directory level) sources would make the directive more effective
> than the paper presupposes. Authors would have the ability to lock a page
> down to submitting forms to specific recipients on their own origin, which
> would be a fairly powerful defense.

I'm not sure if I understood this correctly, wouldn't "all" forms be
whitelisted? Assume youtube.com has a comment section that can be used to
exfiltrate data. This comment section has to on the whitelist if
youtube.comwants users to post comments at all.

Received on Monday, 11 June 2012 17:29:12 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 February 2015 13:26:30 UTC