- From: Adam Barth <w3c@adambarth.com>
- Date: Mon, 30 May 2011 11:00:48 -0700
- To: sird@rckc.at
- Cc: public-web-security@w3.org, masatokinugawa@gmail.com
On Mon, May 30, 2011 at 10:37 AM, Eduardo Vela <sirdarckcat@gmail.com> wrote: > Hi List. > > I think this issue has came up before (can't find the thread but I've > seen it) and Masato (cc'd) brought this up to us recently. > > What can a CSP user do in the following case: > > 1. www.mozilla.org trusts scripts from www.youtube.com because they > use one of their scripts. > 2. Attacker is able to do > www.youtube.com/video/export?id=1337&callback=eval(name) Won't that be blocked because eval is blocked? Adam > 3. Then Mozilla isn't capable of protecting using CSP. > > In general, Mozilla can't realistically know all the things we put in > www.youtube.com. If Youtube doesn't care about CSP, there's no reason > for them to fix it. And Mozilla might not be able to mirror the script > to their own servers because it might change at any moment, and their > site might break. > > Could it be possible to whitelist specific files, instead of complete > origins? Maybe even global expressions (e.g. > www.youtube.com/scripts/*.js)? > Or.. maybe Mozilla shouldn't trust Youtube at all? > What about.. Content-Type enforcement? Force scripts allowed on a CSP > document to have the right Content-Type. > > How does this apply for the use case of stats services, captcha, ads, > etc.. which all require external scripts? > > I think forcing the right Content-Type for scripts might be the best > solution, and maybe a rule to override this behavior, comments? > > Thanks!! > > -- Eduardo > >
Received on Monday, 30 May 2011 18:01:47 UTC