Re: SEC Consult's "CSP Bypasses"

Hi,


17.07.2013, в 0:46, Mike West <mkwst@google.com> написал(а):

> I ran across http://blog.sec-consult.com/2013/07/content-security-policy-csp-another.html earlier in the week: while I don't think any of the described CSP bypasses are particularly dangerous, I think #1 and #2 are worth considering for a few moments.
> 
> #1: Prerendering/prefetching: Injecting `<link id=1 rel="prerender" href="http://example.com/">` can cause a credential request to be made on a user's behalf. The author suggests that `connect-src` should control this behavior: I think I agree, even though it's not a perfect fit.

I don't think that connect-src is good directive for that. Because it isn't about JS interface. 
Currently there is no suitable directive in CSP 1.0 and this is the problem :( It can be something like 'prefetch-src'

> #2: `<meta refresh>`: Injecting a meta tag that refreshes to a data URL can cause script to execute. It won't be same-origin with the page into which it was injected, but depending on the script, it could be a phishing vector, etc. This doesn't really fit any of the directives (`form-action` is closest), but it certainly doesn't seem worthwhile to add a `meta-action` directive. I could see it falling under the 'unsafe-inline' bits of `script-src`, I suppose (weakly hanging my hat on "The directive also controls other resources, such as XSLT style sheets [XSLT], which can cause the user agent to execute script."). Suggestions would be appreciated.
> 

It will be great if browser permits META HTTP-EQUIV tag only in the first <HEAD></HEAD> block...
 
> #3 is straightforward: if you include 'unsafe-inline', you're beyond saving.
> 
> WDYT? 
> 
> --
> Mike West <mkwst@google.com>, Developer Advocate
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

--
Taras
http://oxdef.info
GPG: C8D1F510

Received on Wednesday, 17 July 2013 10:02:03 UTC