W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2012

Re: Proposal to remove the 'frame-action' directive from CSP 1.1

From: Eric Chen <eric.chen@sv.cmu.edu>
Date: Mon, 11 Jun 2012 10:48:12 -0700
Message-ID: <CAF8haax4T0pcj1u0ytPR0ZUw6mjbju_-GWFY=zeO_kkttgA8oQ@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: public-webappsec@w3.org, Collin Jackson <collin.jackson@sv.cmu.edu>, Sergey G <serezhka79@gmail.com>
> What about form-action 'none'.  Is that still useful?
>
I think it is very hard to find a site like this. Also there's nothing to
exfiltrate if the user can't log in :)


> Also, you might expect that web sites that implement CSP are more
> interested in security and therefore more likely to be part of the 60%
> that protect themselves from CSRF.

We actually did a survey on 11 sites that actually adopted CSP (out of
Alexa 1,000,000) and I believe 1 or 2 of these sites have CSRF-token-less
forms. This is probably not a good indication of all sites that will adopt
CSP in the future, but I think it's not easy to secure all form posts.



>
>
> On Fri, Jun 8, 2012 at 1:21 PM, Eric Chen <eric.chen@sv.cmu.edu> wrote:
> > Hello Everyone:
> >
> > I would like to propose the removal of 'frame-action' directive from CSP
> 1.1
> > because it offers very little security guarantees from data exfiltration
> > attacks. We wrote a paper on this particular
> > topic: http://www.w2spconf.com/2012/papers/w2sp12-final11.pdf
> >
> > In summary, the attack works as follows:
> > 1. Alice has a blog that uses the 'form-action' directive to protect data
> > from being sent to evil.com
> > 2. The attacker creates a form that posts the user's data to the comment
> > section of a blog post.
> > 3. The attacker reads the blog post to extract the data
> >
> > We discovered that 40% of the Alexa top 100 websites contain at least one
> > exfiltration channels without CSRF protection, which makes them
> susceptible
> > to this attack (yes, even with JavaScript disabled).
> >
> > --
> > -Eric
> >
>



-- 
-Eric
Received on Monday, 11 June 2012 17:48:41 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 11 June 2012 17:48:41 GMT