W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2013

Re: SEC Consult's "CSP Bypasses"

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 17 Jul 2013 10:04:40 -0700
Message-ID: <CADnb78gyzswM6jsn_d0obu7AZ46UQOS-ARL-KB5A+yRgwswdSg@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Tue, Jul 16, 2013 at 1:46 PM, Mike West <mkwst@google.com> wrote:
> #1: Prerendering/prefetching: Injecting `<link id=1 rel="prerender"
> href="http://example.com/">` can cause a credential request to be made on a
> user's behalf. The author suggests that `connect-src` should control this
> behavior: I think I agree, even though it's not a perfect fit.

Isn't frame-src closer?

> #2: `<meta refresh>`: Injecting a meta tag that refreshes to a data URL can
> cause script to execute. It won't be same-origin with the page into which it
> was injected, but depending on the script, it could be a phishing vector,
> etc. This doesn't really fit any of the directives (`form-action` is
> closest), but it certainly doesn't seem worthwhile to add a `meta-action`
> directive. I could see it falling under the 'unsafe-inline' bits of
> `script-src`, I suppose (weakly hanging my hat on "The directive also
> controls other resources, such as XSLT style sheets [XSLT], which can cause
> the user agent to execute script."). Suggestions would be appreciated.

How is this not frame-src? Or is this about top-level? What's the
scenario there?

Received on Wednesday, 17 July 2013 17:05:07 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:34 UTC