- From: Eric Chen <eric.chen@sv.cmu.edu>
- Date: Mon, 11 Jun 2012 10:48:12 -0700
- To: Adam Barth <w3c@adambarth.com>
- Cc: public-webappsec@w3.org, Collin Jackson <collin.jackson@sv.cmu.edu>, Sergey G <serezhka79@gmail.com>
- Message-ID: <CAF8haax4T0pcj1u0ytPR0ZUw6mjbju_-GWFY=zeO_kkttgA8oQ@mail.gmail.com>
> What about form-action 'none'. Is that still useful? > I think it is very hard to find a site like this. Also there's nothing to exfiltrate if the user can't log in :) > Also, you might expect that web sites that implement CSP are more > interested in security and therefore more likely to be part of the 60% > that protect themselves from CSRF. We actually did a survey on 11 sites that actually adopted CSP (out of Alexa 1,000,000) and I believe 1 or 2 of these sites have CSRF-token-less forms. This is probably not a good indication of all sites that will adopt CSP in the future, but I think it's not easy to secure all form posts. > > > On Fri, Jun 8, 2012 at 1:21 PM, Eric Chen <eric.chen@sv.cmu.edu> wrote: > > Hello Everyone: > > > > I would like to propose the removal of 'frame-action' directive from CSP > 1.1 > > because it offers very little security guarantees from data exfiltration > > attacks. We wrote a paper on this particular > > topic: http://www.w2spconf.com/2012/papers/w2sp12-final11.pdf > > > > In summary, the attack works as follows: > > 1. Alice has a blog that uses the 'form-action' directive to protect data > > from being sent to evil.com > > 2. The attacker creates a form that posts the user's data to the comment > > section of a blog post. > > 3. The attacker reads the blog post to extract the data > > > > We discovered that 40% of the Alexa top 100 websites contain at least one > > exfiltration channels without CSRF protection, which makes them > susceptible > > to this attack (yes, even with JavaScript disabled). > > > > -- > > -Eric > > > -- -Eric
Received on Monday, 11 June 2012 17:48:41 UTC