Re: Restricting <base> URLS via CSP from Alex Russell on 2013-02-28 (public-webappsec@w3.org from February 2013)

From: Alex Russell <slightlyoff@google.com>
Date: Thu, 28 Feb 2013 02:28:04 +0000
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: Adam Barth <w3c@adambarth.com>, Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Michal Zalewski <lcamtuf@google.com>
Message-ID: <CANr5HFU8J8vWYm0A+-r36U0bY0E+9e5y51GqcggQ6y0Vc439zQ@mail.gmail.com>

On Thursday, February 28, 2013, Devdatta Akhawe wrote:

> hi Alex
>
> I think thats a great idea! Can you share with us what attacks and how
> they are remediated by controlling base urls? There have been a couple
> of discussions about post-xss attacks.
>

I think this is the most in-depth thing I've seen on it:
http://lcamtuf.coredump.cx/postxss/

cc-ing the author.


> I personally prefer sensible defaults over opt-in. For example,
> script-src defaults to blocking inline scripts. Users have to opt-out
> to enable inline scripts and eval.
>
> I wonder if we can consider defaulting to "Base URL can only be same
> origin" or "base URL is ignored" as soon as we see a script-src in the
> CSP policy?
>

This isn't just about scripts; it affects forms, images, and every other
sort of network behavior.


> This might be a little ugly, but I think there is a possibility of
> harm if we don't default to "Turn on CSP script-src and it will take
> care of most problems." In the future, we don't want to see "yeah X %
> of webapps turn on CSP but forgot to specify the base-uri directive"
>
> Is there is a way to measure how many applications turn on CSP but
> also need to specify a cross-origin base-uri ? I can't actually think
> of a case where this is needed, but I am inexperienced in these
> matters.
>
>
> --dev
>
>
>
> On 27 February 2013 15:57, Adam Barth <w3c@adambarth.com <javascript:;>>
> wrote:
> > Moving to public-webappsec (which is the working group for CSP as
> > opposed to the general Security Interest Group).
> >
> > Adam
> >
> >
> > On Wed, Feb 27, 2013 at 3:53 PM, Alex Russell <slightlyoff@google.com<javascript:;>>
> wrote:
> >> Hi all,
> >>
> >> After chatting with Adam and Mike, I'd like to propose a new CSP field
> for
> >> setting a restriction on the base URL of a document. Having this
> provided in
> >> a header and/or early in the page provides a bulwark against many of the
> >> worst post-CSS HTML injection attacks, and when combined with existing
> CSP
> >> 1.1 directives can deny many of the worst payload smuggling attacks.
> >>
> >> Is there appetite in the group to specify this for 1.1?
> >>
> >> Regards
> >
>

Received on Thursday, 28 February 2013 02:28:32 UTC