- From: Mike West <mkwst@google.com>
- Date: Sat, 29 Dec 2012 10:53:24 +0100
- To: Yoav Weiss <yoav@yoav.ws>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Fri, Dec 28, 2012 at 12:29 PM, Yoav Weiss <yoav@yoav.ws> wrote: > For example, for a site that enables inline-scripts but restricts its > allowed hosts using `default-src`, a user-generated malicious inline script > that is part of the page’s HTML can steal session cookies, but cannot send > them to a malicious host. Allowing that script (that runs before the > domReady is in interactive mode) to modify the CSP directives by dynamically > adding a `connect-src` directive, will enable the attacker to send the > stolen cookie data to the malicious host. If more than one policy is present (because two `Content-Security-Policy` headers were delivered, for instance), each is enforced. This means that the malicious inline script in your example would be able to inject a new policy that included `connect-src`, but that any connection would have to be allowed by _both_ the new and existing policies. It shouldn't be possible to loosen an existing policy via header or meta tag injection, only to tighten the page's effective policy by adding additional restrictions. Note also that 3.1.3 is very much still in flux. The rules outlined there don't reflect WebKit's current implementation, and some of the important questions are still up in the air. Feedback on the use-cases surrounding the meta tag are very welcome. :) > What is the benefit from allowing dynamically added CSP directives? > Wouldn’t it be safer to restrict them altogether? The use case that's clearest to me is an application that "boots" with some loose (or non-existent) policy, and then locks itself down once it's finished doing dangerous things by injecting a meta tag. The meta tag also allows users who don't have control over a page's HTTP headers (shared hosting, etc) to use CSP to lower their risk of attack. -- Mike West <mkwst@google.com>, Developer Advocate Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
Received on Saturday, 29 December 2012 09:54:14 UTC