- From: Michal Zalewski <lcamtuf@coredump.cx>
- Date: Wed, 31 Aug 2011 12:51:13 -0700
- To: Adam Barth <w3c@adambarth.com>
- Cc: Daniel Veditz <dveditz@mozilla.com>, "sird@rckc.at" <sird@rckc.at>, "Hill, Brad" <bhill@paypal-inc.com>, "public-web-security@w3.org" <public-web-security@w3.org>
> Yeah, I agree that the main cost is complexity. The main question is > whether this problem is actually "deadly" or whether lcamtuf is being > hyperbolic. Obviously the "deadly" part is not to be taken literally: I do not think there will be casualties ;-) But I do think that origin scoping makes it difficult to meaningfully use CSP with any large and diverse web property. I would be surprised if it would not be exploitable in places such as facebook.com, msn.com, google.com, twitter.com, wellsfargo.com, att.com, etc. I don't have a proof and may be wrong, but looks like this is not an isolated sentiment. If you guys wish to go with path scoping, though, there's an interesting thought experiment, though: why not save some bytes, and decouple script loads from the HTML document body completely, rather than duplicating the URLs in the policy and then in the document? It's more efficient, and also prevents the remote but not completely outlandish risk of loading scripts in the wrong order / more than once to achieve an unexpected result. The objection to this proposal is that it decouples some critical information from the returned payload, but then, it's not like HTTP specs & browser implementations paid too much attention to this before (correctly preserving origin, Content-Type, and charset for locally saved documents, for example, is a bit of an unsolved problem). Let's see how that troll goes over... /mz
Received on Wednesday, 31 August 2011 19:51:55 UTC