W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2013

Re: CSP & data URIs

From: Yoav Weiss <yoav@yoav.ws>
Date: Fri, 11 Jan 2013 10:30:26 +0100
Message-ID: <CACj=BEjHjKMVOmTMxa9N=8gPEzGaiZAR=7jbWj2=ue6Q3bGFhw@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: Boris Zbarsky <bzbarsky@mit.edu>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Does it pose a risk besides the obvious defacement risk?
I guess that a malicious image can also exploit a decoder bug, but I'm not
certain that's a real life threat (with sandboxing, etc).

Would you consider this risk high enough to include a nonce-like mechanism
for image data URIs? It would be a shame if Web developers have to choose
between performance and security.

Thanks,
Yoav


On Fri, Jan 11, 2013 at 10:18 AM, Adam Barth <w3c@adambarth.com> wrote:

> Keep in mind that an attacker who can inject an <img> tag into your
> site can use a data URL to display whatever image he or she likes.
> Adding data: as a src does increase the risk from an XSS attack.
>
> Adam
>
>
> On Thu, Jan 10, 2013 at 7:33 AM, Yoav Weiss <yoav@yoav.ws> wrote:
> > OK, my mistake.
> > In that case, I understand that enabling "img-src data:" in CSP can be
> > recommended as part of a Web performance best practice.
> >
> >
> > On Thu, Jan 10, 2013 at 4:02 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
> >>
> >> On 1/10/13 9:44 AM, Yoav Weiss wrote:
> >>>
> >>> It seems that at least in some browsers, img data URIs are XSS
> >>> exploitable[1][2].
> >>
> >>
> >> Uh.... no.  They're not.  What made you think they are, exactly?  The
> >> links you point to certainly say nothing of the sort.
> >>
> >> -Boris
> >>
> >
>
Received on Friday, 11 January 2013 09:30:54 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 11 January 2013 09:30:54 GMT