- From: Eduardo' Vela <evn@google.com>
- Date: Mon, 19 Mar 2012 19:02:07 -0700
- To: sec_ext <sec_ext@fb.com>
- Cc: Adam Barth <w3c@adambarth.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAFswPa-vuJcu_7y_Z2hwy2-O8zo2sx_fCogvmj+5NO6J8zgZEA@mail.gmail.com>
> > It is not entirely clear how allowing inline CSS ('style-src > 'unsafe-inline';) can lead to XSS if you are blocking inline and external > JS (script-src none;) https://docs.google.com/viewer?url=http://www.businessinfo.co.uk/labs/talk/The_Sexy_Assassin.ppt That predates CSP, but well.. some of the things Adam mentions start in slide 22. The attacks were improved considerably since then.. I think Mario ended up with just 1 req per char. So for the facebook case, one could potentially read fb_dtsg. Greetings!! On Mon, Mar 19, 2012 at 3:36 PM, sec_ext <sec_ext@fb.com> wrote: > Hey Adam, > > Thanks for the clarification, my main concern was with the "if they wish > to protect themselves against XSS" portion. > > Definitely aware of the other associated risks :) > > Thanks again > > > On 3/19/12 3:25 PM, "Adam Barth" <w3c@adambarth.com> wrote: > > >On Mon, Mar 19, 2012 at 2:48 PM, sec_ext <sec_ext@fb.com> wrote: > >> In the CSP specification, it states "authors should not include > >> 'unsafe-inline' in their CSP policies if they wish to protect themselves > >> against XSS." > >> > >> It is not entirely clear how allowing inline CSS ('style-src > >> 'unsafe-inline';) can lead to XSS if you are blocking inline and > >>external > >> JS (script-src none;) > >> > >> Will 'script-src none' not block JS attempts in CSS? > > > >CSP forbids any JavaScript from being included in CSS, regardless of > >what policy you use. > > > >> Does it depend on how the spec is implemented (per browser basis)? > > > >As far as I know, all modern browsers have already removed the ability > >to run script from CSS. > > > >> Or, does the spec need to be > >> re-worded to mention that the aforementioned sentence is only applicable > >> to the script-src directive? > > > >There is a security risk to letting folks inject CSS into your > >document, albeit a smaller risk than letting them inject script. > >There was a nice talk at Black Hat a couple years ago that talked > >about the kinds of things an attacker can do by injecting only CSS. > >For example, using attribute selectors and background images, the > >attacker might be able to learn the value of form fields, including > >password fields. > > > >It's mostly a question of your risk tolerance. There's a large > >security benefit to locking down script-src and object-src. There's a > >smaller security benefit to locking down style-src. We should update > >the spec to have some more nuanced text on this topic. > > > >Adam > > >
Received on Tuesday, 20 March 2012 02:02:56 UTC