- From: Mike West <mkwst@google.com>
- Date: Tue, 16 Jul 2013 22:46:19 +0200
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAKXHy=en5w4Zw8=-J8NMw4cJOykrT75U5s=zRYXoe2xscFYYyQ@mail.gmail.com>
I ran across http://blog.sec-consult.com/2013/07/content-security-policy-csp-another.html<http://blog.sec-consult.com/2013/07/content-security-policy-csp-another.html?m=1> earlier in the week: while I don't think any of the described CSP bypasses are particularly dangerous, I think #1 and #2 are worth considering for a few moments. #1: Prerendering/prefetching: Injecting `<link id=1 rel="prerender" href=" http://example.com/">` can cause a credential request to be made on a user's behalf. The author suggests that `connect-src` should control this behavior: I think I agree, even though it's not a perfect fit. #2: `<meta refresh>`: Injecting a meta tag that refreshes to a data URL can cause script to execute. It won't be same-origin with the page into which it was injected, but depending on the script, it could be a phishing vector, etc. This doesn't really fit any of the directives (`form-action` is closest), but it certainly doesn't seem worthwhile to add a `meta-action` directive. I could see it falling under the 'unsafe-inline' bits of `script-src`, I suppose (weakly hanging my hat on "The directive also controls other resources, such as XSLT style sheets [XSLT], which can cause the user agent to execute script."). Suggestions would be appreciated. #3 is straightforward: if you include 'unsafe-inline', you're beyond saving. WDYT? -- Mike West <mkwst@google.com>, Developer Advocate Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
Received on Tuesday, 16 July 2013 20:47:08 UTC