W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2012

Re: [webappsec] for afternoon F2F discussion, proposed CSP 1.1 JSONP directive

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Wed, 2 May 2012 12:39:47 -0700
Message-ID: <CALx_OUCG9fMA_u=a4OvDUh7dFtfxzPPm2yqBGimSiNTo-GW3=A@mail.gmail.com>
To: "Hill, Brad" <bhill@paypal-inc.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
The proposed approach also doesn't solve the problem of JSONP APIs
being present in one of the already whitelisted origins. For example,
if I permit scripts from maps.google.com or api.twitter.com, I don't
want an XSS vector to be leverage their JSONP interfaces to execute
scripts.

I think this is more elegantly solved by allowing full URL or possibly
path scoping as an alternative to origin scoping for existing CSP
directives.

Also, isn't the assumption about JSONP format a bit optimistic? In
particular, some JSONP APIs include comments or whitespaces at the
beginning (for example to thwart MSIE HTML sniffing behavior). There
are also some APIs that do something like:

var_name = { JSON }

...or:

fn_name([...serialized array...])

...or:

fn_name({...JSON...}, ...something_else)

/mz
Received on Wednesday, 2 May 2012 19:40:40 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 2 May 2012 19:40:40 GMT