Content-Security-Policy and dynamically added meta elements

Hello all,

I’m wondering regarding the benefits of allowing dynamically added meta
elements with CSP directives vs. the extra security vulnerabilities that it
poses.

>From a security perspective, as far as I can tell, the various restrictions
in section 3.1.3 still permit some form of expanding an XSS attack.

For example, for a site that enables inline-scripts but restricts its
allowed hosts using `default-src`, a user-generated malicious inline script
that is part of the page’s HTML can steal session cookies, but cannot send
them to a malicious host. Allowing that script (that runs before the
domReady is in interactive mode) to modify the CSP directives by
dynamically adding a `connect-src` directive, will enable the attacker to
send the stolen cookie data to the malicious host.

What is the benefit from allowing dynamically added CSP directives?
Wouldn’t it be safer to restrict them altogether?

Thanks,
Yoav Weiss

Received on Friday, 28 December 2012 11:30:07 UTC