- From: Eduardo Vela <sirdarckcat@gmail.com>
- Date: Mon, 30 May 2011 12:37:46 -0500
- To: public-web-security@w3.org
- Cc: masatokinugawa@gmail.com
Hi List. I think this issue has came up before (can't find the thread but I've seen it) and Masato (cc'd) brought this up to us recently. What can a CSP user do in the following case: 1. www.mozilla.org trusts scripts from www.youtube.com because they use one of their scripts. 2. Attacker is able to do www.youtube.com/video/export?id=1337&callback=eval(name) 3. Then Mozilla isn't capable of protecting using CSP. In general, Mozilla can't realistically know all the things we put in www.youtube.com. If Youtube doesn't care about CSP, there's no reason for them to fix it. And Mozilla might not be able to mirror the script to their own servers because it might change at any moment, and their site might break. Could it be possible to whitelist specific files, instead of complete origins? Maybe even global expressions (e.g. www.youtube.com/scripts/*.js)? Or.. maybe Mozilla shouldn't trust Youtube at all? What about.. Content-Type enforcement? Force scripts allowed on a CSP document to have the right Content-Type. How does this apply for the use case of stats services, captcha, ads, etc.. which all require external scripts? I think forcing the right Content-Type for scripts might be the best solution, and maybe a rule to override this behavior, comments? Thanks!! -- Eduardo
Received on Monday, 30 May 2011 17:38:34 UTC