RE: [webappsec] Including URI fragment in CSP reports (ACTION-43) from Hill, Brad on 2012-01-31 (public-webappsec@w3.org from January 2012)

From: Hill, Brad <bhill@paypal-inc.com>
Date: Tue, 31 Jan 2012 17:34:18 +0000
To: Giorgio Maone <g.maone@informaction.com>, "Steingruebl, Andy" <asteingruebl@paypal-inc.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E01BBBF@DEN-EXDDA-S12.corp.ebay.com>

It's a very good point that fragments are a major DOM XSS vector, so opt-in could be valuable.
But that also sounds like a new feature, and hence this should probably be a v1.1 work item.

Unless we have interest from implementers now?  


> -----Original Message-----
> From: Giorgio Maone [mailto:g.maone@informaction.com]
> Sent: Tuesday, January 31, 2012 12:29 AM
> To: Steingruebl, Andy
> Cc: Hill, Brad; public-webappsec@w3.org
> Subject: Re: [webappsec] Including URI fragment in CSP reports (ACTION-43)
> 
> IMHO making fragment logging an *opt-in* feature of CSP reports would
> make them considerably more useful than plain HTTP logs in analyzing the
> actual intent of some DOM XSS attempts, but also of two-stages reflected XSS
> attacks like
> 
> http://acme.com/?xss=<script>eval(unescape(location))</script>#%0Aalert("
> surprise")
> 
> where the actual payload would be otherwise undetectable.
> 
> --
> Giorgio Maone

Received on Tuesday, 31 January 2012 17:34:53 UTC