W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2012

Content-Security-Policy and dynamically added meta elements

From: Yoav Weiss <yoav@yoav.ws>
Date: Fri, 28 Dec 2012 12:29:39 +0100
Message-ID: <CACj=BEg_Yz8YtjYw2e5B-+Z+SoFrh8KeaaD7STGbDq1gWdRCkQ@mail.gmail.com>
To: public-webappsec@w3.org
Hello all,

I’m wondering regarding the benefits of allowing dynamically added meta
elements with CSP directives vs. the extra security vulnerabilities that it

>From a security perspective, as far as I can tell, the various restrictions
in section 3.1.3 still permit some form of expanding an XSS attack.

For example, for a site that enables inline-scripts but restricts its
allowed hosts using `default-src`, a user-generated malicious inline script
that is part of the page’s HTML can steal session cookies, but cannot send
them to a malicious host. Allowing that script (that runs before the
domReady is in interactive mode) to modify the CSP directives by
dynamically adding a `connect-src` directive, will enable the attacker to
send the stolen cookie data to the malicious host.

What is the benefit from allowing dynamically added CSP directives?
Wouldn’t it be safer to restrict them altogether?

Yoav Weiss
Received on Friday, 28 December 2012 11:30:07 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:30 UTC