Re: SEC Consult's "CSP Bypasses"

On Wed, Jul 17, 2013 at 7:04 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Tue, Jul 16, 2013 at 1:46 PM, Mike West <mkwst@google.com> wrote:
> > #1: Prerendering/prefetching: Injecting `<link id=1 rel="prerender"
> > href="http://example.com/">` can cause a credential request to be made
> on a
> > user's behalf. The author suggests that `connect-src` should control this
> > behavior: I think I agree, even though it's not a perfect fit.
>
> Isn't frame-src closer?
>

Might be, yes. `connect-src` seemed more apt, since prefetching is
invisible to the user in ways that frames generally aren't, but I'm not
strongly tied to either.

I do, however, want to avoid introducing another directive for this case.
Our list of directives is already bursting at the seams, and with one or
two notable exceptions (referer policy, for example), I think we're
probably pretty much at the limits of what's reasonable for 1.1.

> #2: `<meta refresh>`: Injecting a meta tag that refreshes to a data URL
> can
> > cause script to execute. It won't be same-origin with the page into
> which it
> > was injected, but depending on the script, it could be a phishing vector,
> > etc. This doesn't really fit any of the directives (`form-action` is
> > closest), but it certainly doesn't seem worthwhile to add a `meta-action`
> > directive. I could see it falling under the 'unsafe-inline' bits of
> > `script-src`, I suppose (weakly hanging my hat on "The directive also
> > controls other resources, such as XSLT style sheets [XSLT], which can
> cause
> > the user agent to execute script."). Suggestions would be appreciated.
>
> How is this not frame-src? Or is this about top-level? What's the
> scenario there?
>

The scenario is injection causing automagical top-level navigation. That's
why `script-src 'unsafe-inline'` seems like a quasi-decent fit, and why
`frame-src` doesn't seem relevant enough. *shrug*

-mike