W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2013

Re: SEC Consult's "CSP Bypasses"

From: Taras <oxdef@oxdef.info>
Date: Wed, 17 Jul 2013 11:51:04 +0400
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-Id: <AA797063-CDDB-47A9-B481-BA9D570A4EB0@oxdef.info>
To: Mike West <mkwst@google.com>
Hi,


17.07.2013, в 0:46, Mike West <mkwst@google.com> написал(а):

> I ran across http://blog.sec-consult.com/2013/07/content-security-policy-csp-another.html earlier in the week: while I don't think any of the described CSP bypasses are particularly dangerous, I think #1 and #2 are worth considering for a few moments.
> 
> #1: Prerendering/prefetching: Injecting `<link id=1 rel="prerender" href="http://example.com/">` can cause a credential request to be made on a user's behalf. The author suggests that `connect-src` should control this behavior: I think I agree, even though it's not a perfect fit.

I don't think that connect-src is good directive for that. Because it isn't about JS interface. 
Currently there is no suitable directive in CSP 1.0 and this is the problem :( It can be something like 'prefetch-src'

> #2: `<meta refresh>`: Injecting a meta tag that refreshes to a data URL can cause script to execute. It won't be same-origin with the page into which it was injected, but depending on the script, it could be a phishing vector, etc. This doesn't really fit any of the directives (`form-action` is closest), but it certainly doesn't seem worthwhile to add a `meta-action` directive. I could see it falling under the 'unsafe-inline' bits of `script-src`, I suppose (weakly hanging my hat on "The directive also controls other resources, such as XSLT style sheets [XSLT], which can cause the user agent to execute script."). Suggestions would be appreciated.
> 

It will be great if browser permits META HTTP-EQUIV tag only in the first <HEAD></HEAD> block...
 
> #3 is straightforward: if you include 'unsafe-inline', you're beyond saving.
> 
> WDYT? 
> 
> --
> Mike West <mkwst@google.com>, Developer Advocate
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

--
Taras
http://oxdef.info
GPG: C8D1F510
Received on Wednesday, 17 July 2013 10:02:03 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:02 UTC