Re: Proposal to remove the 'frame-action' directive from CSP 1.1

public-web-security is the mailing list for the general security
interest group.  Discussions about CSP should take place on
public-webappsec.  Would you be willing to re-send your message to
that list?


On Thu, Jun 7, 2012 at 8:05 PM, Eric Chen <> wrote:
> Hello Everyone:
> I would like to propose the removal of 'frame-action' directive from CSP 1.1
> because it offers very little security guarantees from data exfiltration
> attacks. We wrote a paper on this particular
> topic:
> In summary, the attack works as follows:
> 1. Alice has a blog that uses the 'form-action' directive to protect data
> from being sent to
> 2. The attacker creates a form that posts the user's data to the comment
> section of a blog post.
> 3. The attacker reads the blog post to extract the data
> We discovered that 40% of the Alexa top 1xx websites contain at least one
> exfiltration channels without CSRF protection, which makes them susceptible
> to this attack (yes, even with JavaScript disabled).
> --
> -Eric

Received on Friday, 8 June 2012 19:13:53 UTC