Re: [Content Security Policy] Proposal to move the debate forward

On 28 January 2011 22:58, Brandon Sterne <> wrote:

> Okay, now we're getting somewhere.  In your example, as soon as the
> <iframe> navigates the page, that would cause the page to be reloaded,
> which in our use case, would result in a new script nonce being
> delivered in the policy.
> In other words, yes, you can steal the script token using this
> technique, but if the token is being properly rotated, then the token
> would be invalid as soon as you reload the page with your new injected
> payload.
> Do I have this right?

Yeah that was my whole point because Gerv said trade offs with the tokens
would be made and I said a session based token for scripts shouldn't be used
because it enables this attack.

Received on Saturday, 29 January 2011 09:14:42 UTC