W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2012

Re: Proposal to remove the 'frame-action' directive from CSP 1.1

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 11 Jun 2012 10:44:42 -0700
Message-ID: <CAJE5ia9iS7gjk9NctyjJzwm+sbri-ckMpZvdZ1eGDNg7kxP1mQ@mail.gmail.com>
To: Eric Chen <eric.chen@sv.cmu.edu>
Cc: Mike West <mkwst@google.com>, public-webappsec@w3.org, Collin Jackson <collin.jackson@sv.cmu.edu>, Sergey G <serezhka79@gmail.com>
On Mon, Jun 11, 2012 at 10:28 AM, Eric Chen <eric.chen@sv.cmu.edu> wrote:
>> I'd also note that combining `form-action` with the proposal for more
>> granular (directory level) sources would make the directive more effective
>> than the paper presupposes. Authors would have the ability to lock a page
>> down to submitting forms to specific recipients on their own origin, which
>> would be a fairly powerful defense.
>
> I'm not sure if I understood this correctly, wouldn't "all" forms be
> whitelisted? Assume youtube.com has a comment section that can be used to
> exfiltrate data. This comment section has to on the whitelist if youtube.com
> wants users to post comments at all.

I presume YouTube uses CSRF tokens on their comment fields.  The
attacker won't be able to learn the CSRF token without being able to
execute script (and if the attacker can run script, there are plenty
of other exfiltration avenues).

Recall that the context for this discussion is "Postcards from the
post-XSS world":

http://lcamtuf.coredump.cx/postxss/

Specifically, getting ahead of the curve so that we're ready with
defenses for the next set of attacks after CSP has stopped XSS.
(Yeah, we're optimists.)

Adam
Received on Monday, 11 June 2012 17:46:19 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 11 June 2012 17:46:19 GMT