W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2014

Re: Meta tag verification

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Mon, 3 Mar 2014 13:38:13 -0800
Message-ID: <CAPfop_1kdS0t7vxgcVLQneG3fXE3tnhnmaQqguTZnmB+SJGwXw@mail.gmail.com>
To: Joel Weinberger <jww@chromium.org>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
> Namely, it seems a little too easy to shoot oneself in the foot by doing
> something as simple as putting a title tag with user content above it.

How? The mental model I have of CSP is that it mostly constrains
behavior, does not give new capabilities. So, injecting a new CSP
policy should mostly not be an issue. Am I missing some attack?

At a glance, the only directives that don't constrain further are with
the report-uri, reflected-xss, and referrer directive. If so, for meta
element CSP policies, maybe we can (a) limit report-uris to
same-origin (or disallow), (b) disallow 'allow' for reflected-xss, and
(c) disallow 'unsafe-url' for referrer.


~Dev
Received on Monday, 3 March 2014 21:39:01 UTC

This archive was generated by hypermail 2.3.1 : Monday, 3 March 2014 21:39:02 UTC