Proposal to remove the 'frame-action' directive from CSP 1.1

Hello Everyone:

I would like to propose the removal of 'frame-action' directive from CSP
1.1 because it offers very little security guarantees from data
exfiltration attacks. We wrote a paper on this particular topic:

In summary, the attack works as follows:
1. Alice has a blog that uses the 'form-action' directive to protect data
from being sent to
2. The attacker creates a form that posts the user's data to the comment
section of a blog post.
3. The attacker reads the blog post to extract the data

We discovered that 40% of the Alexa top 1xx websites contain at least one
exfiltration channels without CSRF protection, which makes them susceptible
to this attack (yes, even with JavaScript disabled).


Received on Friday, 8 June 2012 15:38:53 UTC