- From: Adam Barth <w3c@adambarth.com>
- Date: Mon, 11 Jun 2012 10:12:43 -0700
- To: Eric Chen <eric.chen@sv.cmu.edu>
- Cc: public-webappsec@w3.org, Collin Jackson <collin.jackson@sv.cmu.edu>, Sergey G <serezhka79@gmail.com>
What about form-action 'none'. Is that still useful? Also, you might expect that web sites that implement CSP are more interested in security and therefore more likely to be part of the 60% that protect themselves from CSRF. Adam On Fri, Jun 8, 2012 at 1:21 PM, Eric Chen <eric.chen@sv.cmu.edu> wrote: > Hello Everyone: > > I would like to propose the removal of 'frame-action' directive from CSP 1.1 > because it offers very little security guarantees from data exfiltration > attacks. We wrote a paper on this particular > topic: http://www.w2spconf.com/2012/papers/w2sp12-final11.pdf > > In summary, the attack works as follows: > 1. Alice has a blog that uses the 'form-action' directive to protect data > from being sent to evil.com > 2. The attacker creates a form that posts the user's data to the comment > section of a blog post. > 3. The attacker reads the blog post to extract the data > > We discovered that 40% of the Alexa top 100 websites contain at least one > exfiltration channels without CSRF protection, which makes them susceptible > to this attack (yes, even with JavaScript disabled). > > -- > -Eric >
Received on Monday, 11 June 2012 17:13:46 UTC