W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2013

SEC Consult's "CSP Bypasses"

From: Mike West <mkwst@google.com>
Date: Tue, 16 Jul 2013 22:46:19 +0200
Message-ID: <CAKXHy=en5w4Zw8=-J8NMw4cJOykrT75U5s=zRYXoe2xscFYYyQ@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
I ran across
http://blog.sec-consult.com/2013/07/content-security-policy-csp-another.html<http://blog.sec-consult.com/2013/07/content-security-policy-csp-another.html?m=1>
earlier
in the week: while I don't think any of the described CSP bypasses are
particularly dangerous, I think #1 and #2 are worth considering for a few
moments.

#1: Prerendering/prefetching: Injecting `<link id=1 rel="prerender" href="
http://example.com/">` can cause a credential request to be made on a
user's behalf. The author suggests that `connect-src` should control this
behavior: I think I agree, even though it's not a perfect fit.

#2: `<meta refresh>`: Injecting a meta tag that refreshes to a data URL can
cause script to execute. It won't be same-origin with the page into which
it was injected, but depending on the script, it could be a phishing
vector, etc. This doesn't really fit any of the directives (`form-action`
is closest), but it certainly doesn't seem worthwhile to add a
`meta-action` directive. I could see it falling under the 'unsafe-inline'
bits of `script-src`, I suppose (weakly hanging my hat on "The directive
also controls other resources, such as XSLT style sheets [XSLT], which can
cause the user agent to execute script."). Suggestions would be appreciated.

#3 is straightforward: if you include 'unsafe-inline', you're beyond saving.

WDYT?

--
Mike West <mkwst@google.com>, Developer Advocate
Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
Received on Tuesday, 16 July 2013 20:47:08 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:02 UTC