- From: Gervase Markham <gerv@mozilla.org>
- Date: Fri, 28 Jan 2011 10:33:37 +0000
- To: gaz Heyes <gazheyes@gmail.com>
- CC: Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
On 28/01/11 10:05, gaz Heyes wrote: > Ok let me drive this grave error home, if at any point that the script > token becomes session based it's useless. An attacker (me) would inject > a HTML form equivalent based vector to steal all tokens How would you steal all tokens if you couldn't run any script because you didn't have the token? If the token is equivalent to the user's session ID, then running some malicious script becomes an equivalent problem to stealing their session ID without script. That doesn't sound trivial to me. Or have I missed something? > and then inject > If for some crazy reason you decide to > use session based tokens then you would have to validate all HTML > injections I'm not sure what you mean by "validate all HTML injections", but I don't think anyone is suggesting that using CSP means that you can just safely print arbitrary user-supplied content as HTML. Gerv
Received on Friday, 28 January 2011 10:34:16 UTC