Re: CSP and cross-frame communication

On Thu, Mar 1, 2012 at 1:10 AM, David Bruant <bruant.d@gmail.com> wrote:
> Le 29/02/2012 23:04, Adam Barth a écrit :
>> I'm sorry, but the platform cannot current support your use case.
>> There are only two levels of trust in the platform: either you trust a
>> document or you don't.  If you trust the document, then it can do
>> anything that you can do.  If you don't trust it, then you're fully
>> isolated from it and can communicate with it using postMessage, etc.
>
> This limitation of "2 levels of trust" is exactly what got us screwed in web
> security in the first place. The "if you trust, it can do anything you can
> do" case is what allows XSS to be successful.
> "2 levels of trust" is what should be addressed. And it is. This is
> *exactly* the very reason CSP is being invented: CSP allows finer
> granularity to declare for one document what we trust and what we do not
> trust.
>
> As an example, the different combinations of the script-src directive are as
> many different levels of trust. You load a document and decide to trust:
> 1) no script at all
> 2) some scripts sources (list declared in the directive)
> 3) some scripts sources without unsafe evals
> 4) no inline scripts
> 5) some scripts, but with reduced connectivity capabilities (connect-src
> directive)
>
> These reflect different levels of trusts in the document you load (it's not
> an exhaustive list).
>
> I would be fine with arguments saying that the directive I propose is of the
> wrong granularity, a bad idea because doesn't protect from what I want it to
> protect, or because the attack I'm describing is too marginal.
> But "the platform cannot current support your use case, There are only two
> levels of trust in the platform" does not seem to be a valid argument.

I'm just saying that I don't know of a way to implement what you
propose.  If you're interested, you should try hacking up a copy of
Firefox or WebKit to build a prototype of your idea.

Adam

Received on Thursday, 1 March 2012 09:14:33 UTC