- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Sun, 30 Dec 2012 01:39:04 -0800
- To: Yoav Weiss <yoav@yoav.ws>
- CC: public-webappsec@w3.org
On 12/28/2012 3:29 AM, Yoav Weiss wrote: > For example, for a site that enables inline-scripts but restricts its > allowed hosts using `default-src`, a user-generated malicious inline > script that is part of the page’s HTML can steal session cookies, but > cannot send them to a malicious host. CSP doesn't cover navigation so if you can run malicious script you can always exfiltrate data by setting document.location. Redirect back to the Referer and some users won't even notice. > What is the benefit from allowing dynamically added CSP directives? > Wouldn’t it be safer to restrict them altogether? We're just starting to define CSP 1.1 and one of our discussions will be how to balance the additional risks of <meta> against the benefits. The text in the editor's draft is just a proposal, we haven't agreed to anything beyond including some form of <meta> support. -Dan Veditz
Received on Sunday, 30 December 2012 09:39:35 UTC