W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2013

Re: SEC Consult's "CSP Bypasses"

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Wed, 17 Jul 2013 15:24:12 -0400
Message-ID: <51E6EF5C.4030100@mit.edu>
To: public-webappsec@w3.org
On 7/17/13 2:50 PM, Anne van Kesteren wrote:
>>> How is this not frame-src? Or is this about top-level? What's the
>>> scenario there?
>>
>> The scenario is injection causing automagical top-level navigation. That's
>> why `script-src 'unsafe-inline'` seems like a quasi-decent fit, and why
>> `frame-src` doesn't seem relevant enough. *shrug*
>
> I meant the attack scenario. If it's a top-level navigation there's no
> same-origin concern. There would be if it happened inside an <iframe>.

I'm not sure I follow the toplevel-vs-iframe distinction here.  Why is 
there no same-origin concern with toplevel navigation?  Or are we 
assuming things like no ability to window.open from inside the frame 
before navigating the toplevel?

-Boris
Received on Wednesday, 17 July 2013 19:24:41 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:02 UTC