W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2013

Re: CSP & data URIs

From: Adam Barth <w3c@adambarth.com>
Date: Fri, 11 Jan 2013 01:43:43 -0800
Message-ID: <CAJE5ia-MeiaFxLLTo=gOZRQfud_848QgpC3FdWASG66rk6yMtA@mail.gmail.com>
To: Yoav Weiss <yoav@yoav.ws>
Cc: Boris Zbarsky <bzbarsky@mit.edu>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Fri, Jan 11, 2013 at 1:30 AM, Yoav Weiss <yoav@yoav.ws> wrote:
> Does it pose a risk besides the obvious defacement risk?
> I guess that a malicious image can also exploit a decoder bug, but I'm not
> certain that's a real life threat (with sandboxing, etc).

It's mostly the defacement issue.

> Would you consider this risk high enough to include a nonce-like mechanism
> for image data URIs? It would be a shame if Web developers have to choose
> between performance and security.

Probably not.

Adam


> On Fri, Jan 11, 2013 at 10:18 AM, Adam Barth <w3c@adambarth.com> wrote:
>>
>> Keep in mind that an attacker who can inject an <img> tag into your
>> site can use a data URL to display whatever image he or she likes.
>> Adding data: as a src does increase the risk from an XSS attack.
>>
>> Adam
>>
>>
>> On Thu, Jan 10, 2013 at 7:33 AM, Yoav Weiss <yoav@yoav.ws> wrote:
>> > OK, my mistake.
>> > In that case, I understand that enabling "img-src data:" in CSP can be
>> > recommended as part of a Web performance best practice.
>> >
>> >
>> > On Thu, Jan 10, 2013 at 4:02 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote:
>> >>
>> >> On 1/10/13 9:44 AM, Yoav Weiss wrote:
>> >>>
>> >>> It seems that at least in some browsers, img data URIs are XSS
>> >>> exploitable[1][2].
>> >>
>> >>
>> >> Uh.... no.  They're not.  What made you think they are, exactly?  The
>> >> links you point to certainly say nothing of the sort.
>> >>
>> >> -Boris
>> >>
>> >
>
>
Received on Friday, 11 January 2013 09:44:44 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 11 January 2013 09:44:44 GMT