W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2012

Re: CSP and cross-frame communication

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 1 Mar 2012 01:13:28 -0800
Message-ID: <CAJE5ia_X4xT=hBWtrTNAdvM39Kz5bRd7DhKDPSK3OffD+4XKwA@mail.gmail.com>
To: David Bruant <bruant.d@gmail.com>
Cc: Daniel Veditz <dveditz@mozilla.com>, Jacob Rossi <Jacob.Rossi@microsoft.com>, "Hill, Brad" <bhill@paypal-inc.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Mar 1, 2012 at 1:10 AM, David Bruant <bruant.d@gmail.com> wrote:
> Le 29/02/2012 23:04, Adam Barth a écrit :
>> I'm sorry, but the platform cannot current support your use case.
>> There are only two levels of trust in the platform: either you trust a
>> document or you don't.  If you trust the document, then it can do
>> anything that you can do.  If you don't trust it, then you're fully
>> isolated from it and can communicate with it using postMessage, etc.
>
> This limitation of "2 levels of trust" is exactly what got us screwed in web
> security in the first place. The "if you trust, it can do anything you can
> do" case is what allows XSS to be successful.
> "2 levels of trust" is what should be addressed. And it is. This is
> *exactly* the very reason CSP is being invented: CSP allows finer
> granularity to declare for one document what we trust and what we do not
> trust.
>
> As an example, the different combinations of the script-src directive are as
> many different levels of trust. You load a document and decide to trust:
> 1) no script at all
> 2) some scripts sources (list declared in the directive)
> 3) some scripts sources without unsafe evals
> 4) no inline scripts
> 5) some scripts, but with reduced connectivity capabilities (connect-src
> directive)
>
> These reflect different levels of trusts in the document you load (it's not
> an exhaustive list).
>
> I would be fine with arguments saying that the directive I propose is of the
> wrong granularity, a bad idea because doesn't protect from what I want it to
> protect, or because the attack I'm describing is too marginal.
> But "the platform cannot current support your use case, There are only two
> levels of trust in the platform" does not seem to be a valid argument.

I'm just saying that I don't know of a way to implement what you
propose.  If you're interested, you should try hacking up a copy of
Firefox or WebKit to build a prototype of your idea.

Adam
Received on Thursday, 1 March 2012 09:14:33 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 1 March 2012 09:14:33 GMT