- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Tue, 29 Jan 2013 15:22:40 -0800
- To: Neil Matatall <neilm@twitter.com>
- CC: Neil Matatall <neil@matatall.com>, Ian Melven <imelven@mozilla.com>, public-webappsec <public-webappsec@w3.org>, Eric Rescorla <ekr@rtfm.com>
On 1/29/2013 2:55 PM, Neil Matatall wrote: >> If an attacker can inject a policy what data can be sent where? > > Is this a threat that we should keep in mind? If you can inject a > policy, I would think you likely have bigger issues. And if you're > over http://, you have no guarantees whatsoever. It's not a threat that keeps me up at night but I don't want a security feature like CSP to be used to make a bad situation (MITM) worse. So yeah, your site is over http:// and can't be trusted, but it's just a blog and you don't care. However, you use a 3rd party comment system that uses secure requests for SSO. You don't use CSP yourself (see "don't care" above). Can an injected policy leak information about the SSO credentials or details? This is not idle speculation, an earlier version of Firefox put enough details in the CSP reports that an evil site (or an injected header) could compromise a visitor's OAuth 2.0 credentials. Another scenario: your site is securely sent over TLS, but it has an HTML injection flaw (i.e. "XSS"). Extremely common, that's why we invented CSP. Can an injected <meta> CSP policy leak sensitive information to a remote attacker? Currently we protect against this attack by not allowing <meta> policies to specify a report URL, and we don't honor <meta> policies if there's already a policy specified in HTTP headers. There are people who chafe at both of those restrictions so we do need to worry about this scenario at least a little. -Dan Veditz
Received on Tuesday, 29 January 2013 23:23:12 UTC