- From: Adam Barth <w3c@adambarth.com>
- Date: Mon, 11 Jun 2012 10:44:42 -0700
- To: Eric Chen <eric.chen@sv.cmu.edu>
- Cc: Mike West <mkwst@google.com>, public-webappsec@w3.org, Collin Jackson <collin.jackson@sv.cmu.edu>, Sergey G <serezhka79@gmail.com>
On Mon, Jun 11, 2012 at 10:28 AM, Eric Chen <eric.chen@sv.cmu.edu> wrote: >> I'd also note that combining `form-action` with the proposal for more >> granular (directory level) sources would make the directive more effective >> than the paper presupposes. Authors would have the ability to lock a page >> down to submitting forms to specific recipients on their own origin, which >> would be a fairly powerful defense. > > I'm not sure if I understood this correctly, wouldn't "all" forms be > whitelisted? Assume youtube.com has a comment section that can be used to > exfiltrate data. This comment section has to on the whitelist if youtube.com > wants users to post comments at all. I presume YouTube uses CSRF tokens on their comment fields. The attacker won't be able to learn the CSRF token without being able to execute script (and if the attacker can run script, there are plenty of other exfiltration avenues). Recall that the context for this discussion is "Postcards from the post-XSS world": http://lcamtuf.coredump.cx/postxss/ Specifically, getting ahead of the curve so that we're ready with defenses for the next set of attacks after CSP has stopped XSS. (Yeah, we're optimists.) Adam
Received on Monday, 11 June 2012 17:46:19 UTC