W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2012

Re: CSP and cross-frame communication

From: David Bruant <bruant.d@gmail.com>
Date: Thu, 01 Mar 2012 10:10:23 +0100
Message-ID: <4F4F3CFF.8030301@gmail.com>
To: Adam Barth <w3c@adambarth.com>
CC: Daniel Veditz <dveditz@mozilla.com>, Jacob Rossi <Jacob.Rossi@microsoft.com>, "Hill, Brad" <bhill@paypal-inc.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Le 29/02/2012 23:04, Adam Barth a écrit :
> I'm sorry, but the platform cannot current support your use case.
> There are only two levels of trust in the platform: either you trust a
> document or you don't.  If you trust the document, then it can do
> anything that you can do.  If you don't trust it, then you're fully
> isolated from it and can communicate with it using postMessage, etc.
This limitation of "2 levels of trust" is exactly what got us screwed in 
web security in the first place. The "if you trust, it can do anything 
you can do" case is what allows XSS to be successful.
"2 levels of trust" is what should be addressed. And it is. This is 
*exactly* the very reason CSP is being invented: CSP allows finer 
granularity to declare for one document what we trust and what we do not 
trust.

As an example, the different combinations of the script-src directive 
are as many different levels of trust. You load a document and decide to 
trust:
1) no script at all
2) some scripts sources (list declared in the directive)
3) some scripts sources without unsafe evals
4) no inline scripts
5) some scripts, but with reduced connectivity capabilities (connect-src 
directive)

These reflect different levels of trusts in the document you load (it's 
not an exhaustive list).

I would be fine with arguments saying that the directive I propose is of 
the wrong granularity, a bad idea because doesn't protect from what I 
want it to protect, or because the attack I'm describing is too marginal.
But "the platform cannot current support your use case, There are only 
two levels of trust in the platform" does not seem to be a valid argument.

David
Received on Thursday, 1 March 2012 09:11:02 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 1 March 2012 09:11:02 GMT