Re: Proposal to remove the 'frame-action' directive from CSP 1.1 from Eric Chen on 2012-06-11 (public-webappsec@w3.org from June 2012)

From: Eric Chen <eric.chen@sv.cmu.edu>
Date: Mon, 11 Jun 2012 10:28:43 -0700
To: Mike West <mkwst@google.com>
Cc: Adam Barth <w3c@adambarth.com>, public-webappsec@w3.org, Collin Jackson <collin.jackson@sv.cmu.edu>, Sergey G <serezhka79@gmail.com>
Message-ID: <CAF8haayj1NBbpA5wXckuf7YOdfOQ2bwNfxi3BfH++QZNJhpzzw@mail.gmail.com>

>
> I'd also note that combining `form-action` with the proposal for more
> granular (directory level) sources would make the directive more effective
> than the paper presupposes. Authors would have the ability to lock a page
> down to submitting forms to specific recipients on their own origin, which
> would be a fairly powerful defense.
>

I'm not sure if I understood this correctly, wouldn't "all" forms be
whitelisted? Assume youtube.com has a comment section that can be used to
exfiltrate data. This comment section has to on the whitelist if
youtube.comwants users to post comments at all.


-- 
-Eric

Received on Monday, 11 June 2012 17:29:12 UTC