Re: [Content Security Policy] Proposal to move the debate forward from gaz Heyes on 2011-01-29 (public-web-security@w3.org from January 2011)

From: gaz Heyes <gazheyes@gmail.com>
Date: Sat, 29 Jan 2011 09:14:10 +0000
To: Brandon Sterne <bsterne@mozilla.com>
Cc: Gervase Markham <gerv@mozilla.org>, public-web-security@w3.org
Message-ID: <AANLkTimR+UWg1uJC1OmwO-25W+wKt3O1-U1CxyVVSV1e@mail.gmail.com>

On 28 January 2011 22:58, Brandon Sterne <bsterne@mozilla.com> wrote:

> Okay, now we're getting somewhere.  In your example, as soon as the
> <iframe> navigates the page, that would cause the page to be reloaded,
> which in our use case, would result in a new script nonce being
> delivered in the policy.
>
> In other words, yes, you can steal the script token using this
> technique, but if the token is being properly rotated, then the token
> would be invalid as soon as you reload the page with your new injected
> payload.
>
> Do I have this right?
>

Yeah that was my whole point because Gerv said trade offs with the tokens
would be made and I said a session based token for scripts shouldn't be used
because it enables this attack.

Received on Saturday, 29 January 2011 09:14:42 UTC