W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2013

Re: SEC Consult's "CSP Bypasses"

From: Mike West <mkwst@google.com>
Date: Thu, 18 Jul 2013 17:03:31 +0200
Message-ID: <CAKXHy=c89VmQVv8=4o4SCZdyC-Ndu2=Lex482388xeP74=K5Hg@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Jul 17, 2013 at 8:50 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> >> How is this not frame-src? Or is this about top-level? What's the
>  >> scenario there?
> >
> > The scenario is injection causing automagical top-level navigation.
> That's
> > why `script-src 'unsafe-inline'` seems like a quasi-decent fit, and why
> > `frame-src` doesn't seem relevant enough. *shrug*
>
> I meant the attack scenario. If it's a top-level navigation there's no
> same-origin concern. There would be if it happened inside an <iframe>.
> Navigating the user to a data URL or a different domain over http
> seems about the same...
>

As another data point, sandboxed iframes block meta refresh if automatic
features aren't allowed via 'allow-script'[1]. That seems like a good
argument for tying this to 'script-src'.

[1]:
http://www.whatwg.org/specs/web-apps/current-work/multipage/semantics.html#attr-meta-http-equiv-refresh

-mike
Received on Thursday, 18 July 2013 15:04:22 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:02 UTC