Re: Proposal to remove the 'frame-action' directive from CSP 1.1 from Adam Barth on 2012-06-11 (public-webappsec@w3.org from June 2012)

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 11 Jun 2012 12:40:27 -0700
To: Eric Chen <eric.chen@sv.cmu.edu>
Cc: public-webappsec@w3.org, Collin Jackson <collin.jackson@sv.cmu.edu>, Sergey G <serezhka79@gmail.com>
Message-ID: <CAJE5ia-g=zEgcujudU_eZsy0TmVGPUQDirbLDfwE95NXL9xoxg@mail.gmail.com>

On Mon, Jun 11, 2012 at 11:10 AM, Eric Chen <eric.chen@sv.cmu.edu> wrote:
> On Mon, Jun 11, 2012 at 10:59 AM, Adam Barth <w3c@adambarth.com> wrote:
>> It's actually really easy to use form-action 'none' in modern browsers:
>>
>> <form id="foo">
>>  ...
>> </form>
>>
>> == Some external script ==
>>
>> var theForm = document.getElementById("foo");
>> theForm.addEventListener("submit", function() {
>>  var xhr = new XMLHttpRequest();
>>  xhr.open("POST", theURLToSendTheFormTo);
>>  xh.send(theForm);
>> }, false);
>>
>> Also, many sites already use XMLHttpRequest for all their
>> client-to-server communication, so they wouldn't need to be modified
>> at all.
>
> In this case the attacker can just inject <form id="foo"> and trick the
> external script from attaching the event listener to the wrong  form tag.

Again, you're assuming that the web site doesn't use CSRF tokens.

form-action 'none' works out-of-the box for sites like Gmail that use
idioms like the following:

var theForm = document.createElement("form");
[... build the form DOM ...]
theForm.addEventListener("submit", function() {
  var xhr = new XMLHttpRequest();
  xhr.open("POST", theURLToSendTheFormTo);
  xhr.send(theForm);
}, false);

In those cases, there's no ID confusion.

This approach also plays well with Web Components
<http://dvcs.w3.org/hg/webcomponents/raw-file/tip/explainer/index.html>
because Web Components scope their selectors to their <template>
elements:

<decorator id="tweet-it">
    <script src="tweet-it.js">
    </script>
    <template>
        <form id="tweet">
          <textarea name="message"></textarea>
          <input type="submit" name="tweet"> [...]
        </form>
    </template>
</decorator>

== tweet-it.js ==

function go(event) {
  var xhr = new XMLHttpRequest();
  xhr.open("POST", theURLToSendTheFormTo);
  xhr.send(event.target);
}
this.listen({selector: "#tweet", type: "submit", handler: go});

I'm not arguing that form-action works for everyone.  I'm just
suggesting that it's far from useless and it plugs one of the bigger
holes we'll be left with in a post-XSS future.

Adam

Received on Monday, 11 June 2012 19:41:29 UTC