- From: Hill, Brad <bhill@paypal-inc.com>
- Date: Tue, 30 Aug 2011 15:22:53 -0600
- To: "public-web-security@w3.org" <public-web-security@w3.org>
Received on Tuesday, 30 August 2011 21:23:32 UTC
http://lcamtuf.blogspot.com/2011/08/subtle-deadly-problem-with-csp.html "The key issue is that the granularity of CSP is limited to SOP origins: that is, you can permit scripts from http://www1.mysite.com:1234/, or perhaps from a wildcard such as *.mysite.com - but you can't be any more precise. I am fairly certain that in a majority of real-world cases, this will undo many of the apparent benefits of the scheme." Basically, Return-Oriented Programming for XSS, or super-DOM-based XSS. (made easier by patterns like JSONP) This isn't a new idea, but I am curious to hear the opinions on the topic from the readers on this list. How important is this kind of attack to real world applications? Are real world web applications stable and well-defined enough to be identified in a more granular way? Brad Hill Sr. MTS, Internet Standards and Governance PayPal Information Risk Management cell: 206.245.7844 / skype: hillbrad email: bhill@paypal-inc.com
Received on Tuesday, 30 August 2011 21:23:32 UTC