W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2013

Re: Agenda for January 29 Teleconference

From: Daniel Veditz <dveditz@mozilla.com>
Date: Tue, 29 Jan 2013 15:22:40 -0800
Message-ID: <510859C0.8070002@mozilla.com>
To: Neil Matatall <neilm@twitter.com>
CC: Neil Matatall <neil@matatall.com>, Ian Melven <imelven@mozilla.com>, public-webappsec <public-webappsec@w3.org>, Eric Rescorla <ekr@rtfm.com>
On 1/29/2013 2:55 PM, Neil Matatall wrote:
>> If an attacker can inject a policy what data can be sent where?
>
> Is this a threat that we should keep in mind? If you can inject a
> policy, I would think you likely have bigger issues. And if you're
> over http://, you have no guarantees whatsoever.

It's not a threat that keeps me up at night but I don't want a security 
feature like CSP to be used to make a bad situation (MITM) worse.

So yeah, your site is over http:// and can't be trusted, but it's just a 
blog and you don't care. However, you use a 3rd party comment system 
that uses secure requests for SSO. You don't use CSP yourself (see 
"don't care" above). Can an injected policy leak information about the 
SSO credentials or details?

This is not idle speculation, an earlier version of Firefox put enough 
details in the CSP reports that an evil site (or an injected header) 
could compromise a visitor's OAuth 2.0 credentials.

Another scenario: your site is securely sent over TLS, but it has an 
HTML injection flaw (i.e. "XSS"). Extremely common, that's why we 
invented CSP. Can an injected <meta> CSP policy leak sensitive 
information to a remote attacker? Currently we protect against this 
attack by not allowing <meta> policies to specify a report URL, and we 
don't honor <meta> policies if there's already a policy specified in 
HTTP headers. There are people who chafe at both of those restrictions 
so we do need to worry about this scenario at least a little.

-Dan Veditz
Received on Tuesday, 29 January 2013 23:23:12 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 29 January 2013 23:23:12 GMT