Re: CSP - 'unsafe-inline' for 'style-src' directive, actually unsafe? from Eduardo' Vela on 2012-03-20 (public-webappsec@w3.org from March 2012)

From: Eduardo' Vela <evn@google.com>
Date: Mon, 19 Mar 2012 19:02:07 -0700
To: sec_ext <sec_ext@fb.com>
Cc: Adam Barth <w3c@adambarth.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAFswPa-vuJcu_7y_Z2hwy2-O8zo2sx_fCogvmj+5NO6J8zgZEA@mail.gmail.com>

>
> It is not entirely clear how allowing inline CSS ('style-src
> 'unsafe-inline';) can lead to XSS if you are blocking inline and external
> JS (script-src none;)

https://docs.google.com/viewer?url=http://www.businessinfo.co.uk/labs/talk/The_Sexy_Assassin.ppt

That predates CSP, but well.. some of the things Adam mentions start in
slide 22.

The attacks were improved considerably since then.. I think Mario ended up
with just 1 req per char.

So for the facebook case, one could potentially read fb_dtsg.

Greetings!!


On Mon, Mar 19, 2012 at 3:36 PM, sec_ext <sec_ext@fb.com> wrote:

> Hey Adam,
>
> Thanks for the clarification, my main concern was with the "if they wish
> to protect themselves against XSS" portion.
>
> Definitely aware of the other associated risks :)
>
> Thanks again
>
>
> On 3/19/12 3:25 PM, "Adam Barth" <w3c@adambarth.com> wrote:
>
> >On Mon, Mar 19, 2012 at 2:48 PM, sec_ext <sec_ext@fb.com> wrote:
> >> In the CSP specification, it states "authors should not include
> >> 'unsafe-inline' in their CSP policies if they wish to protect themselves
> >> against XSS."
> >>
> >> It is not entirely clear how allowing inline CSS ('style-src
> >> 'unsafe-inline';) can lead to XSS if you are blocking inline and
> >>external
> >> JS (script-src none;)
> >>
> >> Will 'script-src none' not block JS attempts in CSS?
> >
> >CSP forbids any JavaScript from being included in CSS, regardless of
> >what policy you use.
> >
> >> Does it depend on how the spec is implemented (per browser basis)?
> >
> >As far as I know, all modern browsers have already removed the ability
> >to run script from CSS.
> >
> >> Or, does the spec need to be
> >> re-worded to mention that the aforementioned sentence is only applicable
> >> to the script-src directive?
> >
> >There is a security risk to letting folks inject CSS into your
> >document, albeit a smaller risk than letting them inject script.
> >There was a nice talk at Black Hat a couple years ago that talked
> >about the kinds of things an attacker can do by injecting only CSS.
> >For example, using attribute selectors and background images, the
> >attacker might be able to learn the value of form fields, including
> >password fields.
> >
> >It's mostly a question of your risk tolerance.  There's a large
> >security benefit to locking down script-src and object-src.  There's a
> >smaller security benefit to locking down style-src.  We should update
> >the spec to have some more nuanced text on this topic.
> >
> >Adam
>
>
>

Received on Tuesday, 20 March 2012 02:02:56 UTC