Re: Proposal to remove the 'frame-action' directive from CSP 1.1 from Eric Chen on 2012-06-11 (public-webappsec@w3.org from June 2012)

From: Eric Chen <eric.chen@sv.cmu.edu>
Date: Mon, 11 Jun 2012 11:10:23 -0700
To: Adam Barth <w3c@adambarth.com>
Cc: public-webappsec@w3.org, Collin Jackson <collin.jackson@sv.cmu.edu>, Sergey G <serezhka79@gmail.com>
Message-ID: <CAF8haay65UemwjDTQgN=poONVuCcJfzJXAwB2HzqyFMDCFaDsg@mail.gmail.com>

On Mon, Jun 11, 2012 at 10:59 AM, Adam Barth <w3c@adambarth.com> wrote:
>
>
> It's actually really easy to use form-action 'none' in modern browsers:
>
> <form id="foo">
>  ...
> </form>
>
> == Some external script ==
>
> var theForm = document.getElementById("foo");
> theForm.addEventListener("submit", function() {
>  var xhr = new XMLHttpRequest();
>  xhr.open("POST", theURLToSendTheFormTo);
>  xh.send(theForm);
> }, false);
>
> Also, many sites already use XMLHttpRequest for all their
> client-to-server communication, so they wouldn't need to be modified
> at all.
>

In this case the attacker can just inject <form id="foo"> and trick the
external script from attaching the event listener to the wrong  form tag.

-- 
-Eric

Received on Monday, 11 June 2012 18:11:07 UTC