W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2012

Re: Proposal to remove the 'frame-action' directive from CSP 1.1

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 11 Jun 2012 10:59:21 -0700
Message-ID: <CAJE5ia97Mpmu_80NssOUgZ__RBc61p3Z1caOEF=GY9hOrBprEQ@mail.gmail.com>
To: Eric Chen <eric.chen@sv.cmu.edu>
Cc: public-webappsec@w3.org, Collin Jackson <collin.jackson@sv.cmu.edu>, Sergey G <serezhka79@gmail.com>
On Mon, Jun 11, 2012 at 10:48 AM, Eric Chen <eric.chen@sv.cmu.edu> wrote:
>> What about form-action 'none'.  Is that still useful?
>
> I think it is very hard to find a site like this. Also there's nothing to
> exfiltrate if the user can't log in :)

It's actually really easy to use form-action 'none' in modern browsers:

<form id="foo">
 ...
</form>

== Some external script ==

var theForm = document.getElementById("foo");
theForm.addEventListener("submit", function() {
  var xhr = new XMLHttpRequest();
  xhr.open("POST", theURLToSendTheFormTo);
  xh.send(theForm);
}, false);

Also, many sites already use XMLHttpRequest for all their
client-to-server communication, so they wouldn't need to be modified
at all.

>> Also, you might expect that web sites that implement CSP are more
>> interested in security and therefore more likely to be part of the 60%
>> that protect themselves from CSRF.
>
> We actually did a survey on 11 sites that actually adopted CSP (out of Alexa
> 1,000,000) and I believe 1 or 2 of these sites have CSRF-token-less forms.
> This is probably not a good indication of all sites that will adopt CSP in
> the future, but I think it's not easy to secure all form posts.

Sounds like even the non-'none' version would be useful for 82--91% of
these folks.  Perfection certainly isn't necessary here.

Adam


>> On Fri, Jun 8, 2012 at 1:21 PM, Eric Chen <eric.chen@sv.cmu.edu> wrote:
>> > Hello Everyone:
>> >
>> > I would like to propose the removal of 'frame-action' directive from CSP
>> > 1.1
>> > because it offers very little security guarantees from data exfiltration
>> > attacks. We wrote a paper on this particular
>> > topic: http://www.w2spconf.com/2012/papers/w2sp12-final11.pdf
>> >
>> > In summary, the attack works as follows:
>> > 1. Alice has a blog that uses the 'form-action' directive to protect
>> > data
>> > from being sent to evil.com
>> > 2. The attacker creates a form that posts the user's data to the comment
>> > section of a blog post.
>> > 3. The attacker reads the blog post to extract the data
>> >
>> > We discovered that 40% of the Alexa top 100 websites contain at least
>> > one
>> > exfiltration channels without CSRF protection, which makes them
>> > susceptible
>> > to this attack (yes, even with JavaScript disabled).
>> >
>> > --
>> > -Eric
>> >
>
>
>
>
> --
> -Eric
>
Received on Monday, 11 June 2012 18:00:22 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 11 June 2012 18:00:23 GMT