Re: [Content Security Policy] Proposal to move the debate forward

On 28/01/11 10:05, gaz Heyes wrote:
> Ok let me drive this grave error home, if at any point that the script
> token becomes session based it's useless. An attacker (me) would inject
> a HTML form equivalent based vector to steal all tokens

How would you steal all tokens if you couldn't run any script because 
you didn't have the token?

If the token is equivalent to the user's session ID, then running some 
malicious script becomes an equivalent problem to stealing their session 
ID without script. That doesn't sound trivial to me.

Or have I missed something?

> and then inject
> If for some crazy reason you decide to
> use session based tokens then you would have to validate all HTML
> injections

I'm not sure what you mean by "validate all HTML injections", but I 
don't think anyone is suggesting that using CSP means that you can just 
safely print arbitrary user-supplied content as HTML.

Gerv

Received on Friday, 28 January 2011 10:34:16 UTC