W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2012

Re: CSP and cross-frame communication

From: Daniel Veditz <dveditz@mozilla.com>
Date: Mon, 05 Mar 2012 11:13:19 -0800
Message-ID: <4F55104F.20905@mozilla.com>
To: David Bruant <bruant.d@gmail.com>
CC: Adam Barth <w3c@adambarth.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On 3/1/12 1:10 AM, David Bruant wrote:
> This limitation of "2 levels of trust" is exactly what got us
> screwed in web security in the first place. The "if you trust, it
> can do anything you can do" case is what allows XSS to be successful.

Most XSS comes from programming mistakes in trusted content.
Dividing trust into finer levels doesn't really help with that problem.

> As an example, the different combinations of the script-src
> directive are as many different levels of trust. You load a document
> and decide to trust:
> 1) no script at all
> 2) some scripts sources (list declared in the directive)
> 3) some scripts sources without unsafe evals
> 4) no inline scripts

There are still only two levels -- sources you trust completely and
sources you don't. And if you allow inline-script and eval() you
probably aren't preventing any XSS attacks because the
attacker-injected content is indistinguishable from a source you trust.

Getting from where the ad hoc creation of the web has left us to a
safer future isn't going to be easy. CSP's baby steps toward forcing
authors to separate script and content are only a start.

-Dan Veditz
Received on Monday, 5 March 2012 19:14:03 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 5 March 2012 19:14:04 GMT