Re: Remove paths from CSP? from Eduardo' Vela\ on 2014-02-12 (public-webappsec@w3.org from February 2014)

From: Eduardo' Vela\ <evn@google.com>
Date: Wed, 12 Feb 2014 00:59:51 -0800
Cc: Brad Hill <bhill@paypal-inc.com>, Michal Zalewski <lcamtuf@google.com>, Odin Hørthe Omdal <odinho@opera.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Adam Barth <w3c@adambarth.com>, Garrett Robinson <grobinson@mozilla.com>, Mike West <mkwst@google.com>, Daniel Veditz <dveditz@mozilla.com>
Message-ID: <CAFswPa-4PqUn704VGncVi-f3ywj1vy8hHfdDBotq=6515SNggg@mail.gmail.com>

To clarify.

If anyone whitelists www.google.com then they will whitelist

<script src="
https://www.google.com/news/feed?output=jsonp&callback=document.forms[0].elements[3].click
">

Which if done in sequence can be used to click all buttons in the UI, and
do XSS-like attacks.

We called this attack reverse clickjacking :-P

Received on Wednesday, 12 February 2014 09:00:18 UTC