[integrity]: Origin confusion attacks. from Mike West on 2014-01-09 (public-webappsec@w3.org from January 2014)

From: Mike West <mkwst@google.com>
Date: Thu, 9 Jan 2014 09:14:56 +0100
To: "public-webappsec@w3.org" <public-webappsec@w3.org>, btoews@github.com
Cc: Joel Weinberger <jww@google.com>, Frederik Braun <fbraun@mozilla.com>, Devdatta Akhawe <dev.akhawe@gmail.com>
Message-ID: <CAKXHy=fZZJsD18xLSqmH7hag5bpfmOaQAhp=y_FOP-3fv7HPPQ@mail.gmail.com>

(following Devdatta's good example of splitting off threads)

Ben pointed out that caching might cause problems for CSP, given that the
origin of a resource is important when determining whether it ought be
allowed access. More generally, this sort of attack is pointed out in
section 6.2 of the spec. I've expanded that text in [1] to make the attack
he outlines more clear.

I don't have a good mitigation idea off the top of my head, but I agree
it's something we should worry about.

[1]:
https://github.com/w3c/webappsec/commit/d115d222f3715de5c74c0049dbb767d410151cb8

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Thursday, 9 January 2014 08:15:45 UTC