W3C home > Mailing lists > Public > whatwg@whatwg.org > May 2012

[whatwg] <iframe srcdoc> and Content-Security-Policy

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 7 May 2012 11:18:09 -0700
Message-ID: <CAJE5ia--8OJYqsTO1gJmnWuR-jSuNVRfQwOXK+r9s9Y2Uwje8w@mail.gmail.com>
== Summary ==

When creating a srcdoc document, we need to be careful to avoid
introducing a Content-Security-Policy loophole.

== Details ==

Consider a document with the following Content-Security-Policy:

Content-Security-Policy: default-src 'none'; frame-src *

Now, imagine the following injection vulnerability in index.php:

<body>Hello <?=$username?></body>

This Content-Security-Policy is supposed to prevent the attacker from
being able to inject script into index.php.  However, consider the
following value for $username:

$username = '<iframe
srcdoc="<script>alert(parent.document.cookie);</script>"></iframe>';

In this case, we could get in trouble if the user agent doesn't
enforce the parent document's Content-Security-Policy on the srcdoc
document because the user agent copies the parent document's origin
unto the child document.

== Proposal ==

When creating a srcdoc document, in the same way that we copy the
parent document's origin onto the child document, we should:

1) /enforce/, on the srcdoc document, all CSP policies currently being
enforced on the parent document.
2) /monitor/, on the srcdoc document, all CSP policies currently being
monitored on the parent document.

Please see <http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html>
for definitions of these terms.

Thanks!
Adam
Received on Monday, 7 May 2012 11:18:09 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:48:08 GMT