- From: Yoav Weiss <yoav@yoav.ws>
- Date: Fri, 28 Dec 2012 12:29:39 +0100
- To: public-webappsec@w3.org
- Message-ID: <CACj=BEg_Yz8YtjYw2e5B-+Z+SoFrh8KeaaD7STGbDq1gWdRCkQ@mail.gmail.com>
Hello all, I’m wondering regarding the benefits of allowing dynamically added meta elements with CSP directives vs. the extra security vulnerabilities that it poses. >From a security perspective, as far as I can tell, the various restrictions in section 3.1.3 still permit some form of expanding an XSS attack. For example, for a site that enables inline-scripts but restricts its allowed hosts using `default-src`, a user-generated malicious inline script that is part of the page’s HTML can steal session cookies, but cannot send them to a malicious host. Allowing that script (that runs before the domReady is in interactive mode) to modify the CSP directives by dynamically adding a `connect-src` directive, will enable the attacker to send the stolen cookie data to the malicious host. What is the benefit from allowing dynamically added CSP directives? Wouldn’t it be safer to restrict them altogether? Thanks, Yoav Weiss
Received on Friday, 28 December 2012 11:30:07 UTC