- From: Adam Barth <w3c@adambarth.com>
- Date: Fri, 8 Jun 2012 12:12:51 -0700
- To: Eric Chen <eric.chen@sv.cmu.edu>
- Cc: public-web-security@w3.org, Collin Jackson <collin.jackson@sv.cmu.edu>, Sergey G <serezhka79@gmail.com>
public-web-security is the mailing list for the general security interest group. Discussions about CSP should take place on public-webappsec. Would you be willing to re-send your message to that list? Thanks! Adam On Thu, Jun 7, 2012 at 8:05 PM, Eric Chen <eric.chen@sv.cmu.edu> wrote: > Hello Everyone: > > I would like to propose the removal of 'frame-action' directive from CSP 1.1 > because it offers very little security guarantees from data exfiltration > attacks. We wrote a paper on this particular > topic: http://www.w2spconf.com/2012/papers/w2sp12-final11.pdf > > In summary, the attack works as follows: > 1. Alice has a blog that uses the 'form-action' directive to protect data > from being sent to evil.com > 2. The attacker creates a form that posts the user's data to the comment > section of a blog post. > 3. The attacker reads the blog post to extract the data > > We discovered that 40% of the Alexa top 1xx websites contain at least one > exfiltration channels without CSRF protection, which makes them susceptible > to this attack (yes, even with JavaScript disabled). > > -- > -Eric >
Received on Friday, 8 June 2012 19:13:53 UTC