Re: CSP: non-TLS scheme restrictions must allow TLS-enabled schemes automatically from Devdatta Akhawe on 2011-06-27 (public-web-security@w3.org from June 2011)

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Mon, 27 Jun 2011 10:43:19 -0700
To: Gervase Markham <gerv@mozilla.org>
Cc: Brian Smith <bsmith@mozilla.com>, public-web-security@w3.org
Message-ID: <BANLkTimnd2agOK0tqDQQF2A-OBQ9N5HE_g@mail.gmail.com>

> Isn't there a risk here? HTTP vhosting exists, but TLS vhosting does not
> (really) yet. So the owner of the website which is at
> http://www.foo.com/ might find that accessing https://www.foo.com/
> actually gives them the HTML content of https://www.bar.com/, which is
> hosted on the same machine, but controlled by someone else entirely.
>

Wouldn't this throw a certificate error (and with HSTS, die without warning) ?


=devdatta


> So if the owner of bar.com found an XSS hole in foo.com, they could
> inject links to "https://www.foo.com/", which would be CSP-allowed, and
> yet would return content under his control. (Albeit with certificate
> mismatch errors.)
>
> Is this risk basically just theoretical, or worth considering?
>
> Gerv
>
>

Received on Monday, 27 June 2011 17:44:15 UTC